A+ Technician's on the Job Guide to Windows XP

Internet Explorer 6 provides a number of security features that manage how Internet Explorer uses different sites and how IE uses and manages cookies. These features, in a further attempt to control online piracy and privacy invasion, give you a number of controls that can be very important in a home or office situation. As an A+ technician, you should be well versed in these options both to configure IE and to solve potential security problems.

Configuring Internet Explorer Zones

Internet Explorer uses four different security zones, which you can access on the Security tab of Internet Options, shown in Figure 14-10. On the Security tab, you see the Internet, Local Intranet, Trusted Sites, and Restricted Sites zones. If you select a zone, you can see the current security level of the zone in the lower portion of the window.

Figure 14-10: Security tab

You can select from four preconfigured levels of security for each zone by simply moving the slider bar. The levels are as follows:

• High  This setting disables all features that are less secure. This is the safest way to use the Internet, but it provides you with the least amount of functionality. The setting disables all ActiveX content along with all downloads. Additionally, there are a number of restrictions on accessing data and requesting data.

• Medium  The Medium setting does not allow the downloading of unsigned ActiveX controls, and you see the familiar prompt before downloading potentially unsafe content. Browsing is safe, yet functional, under this setting, and in most cases, this is the best setting to use.

• Medium-Low  The Medium-Low setting will run most content without prompts, but still does not allow unsigned ActiveX controls. This setting is safe for intranet use.

• Low  The Low setting provides basic warnings and few safeguards. All active content can run. This setting is not recommended unless the site is one you completely trust.

What exactly are the potential security issues and threats that Internet usage tends to bring to your network? There are a few important ones that you should keep mind as you are thinking about and configuring security:

• Active Content  Active content from a web site, such as ActiveX controls, scripts, Java applets, and such, give the Internet its vast multimedia appeal. However, this active content can also harbor viruses and other malicious code. The problem with active content is that an antivirus program cannot scan this content because it is run when downloaded (you can't download it and then run it). So, the problem comes down to trust: Is the content what it seems to be, or is it really malicious? Internet Explorer attempts to alleviate some of that problem with Authenticode, which is a digital signature technology. Authenticode enables Internet Explorer to verify that active content has arrived to you without being changed in transit. In other words, the content is from the place that it says it is from. If the content is signed, that is still not a guarantee that it is safe—but more than likely, it is. Beyond that, the use of active content still comes down to trust. Users should be familiar with any web site from which they are downloading information.

• Downloads  Downloads can also contain viruses and other malicious code. The good news about downloads is that you can download the package to your computer and use an antivirus program to scan it for viruses before installing it on your computer. To be safe, always download the content first and install it after scanning it with antivirus software.

• Data Management  A lesser, but still important, security issue concerns user data and interaction with web sites. Internet Explorer can prevent a number of potentially risky actions, such as submitting form data over nonencrypted connections.

You can configure different settings for each zone by simply selecting the zone and moving the slider bar. However, you can also customize the settings by clicking the Custom Level button. This opens the Security Settings dialog box, as shown in Figure 14-11. You can scroll through the list of settings and choose the Disable, Enable, or Prompt option for each security setting. This enables you to create a custom security setting that invokes the features that you want instead of the default options. If you want to see what settings are used under one of the default options (such as High, Medium, and so on), click the Reset To drop-down menu at the bottom of the Security Settings dialog box and click Reset. You can then see how each of the custom settings is applied under one of the default security options, and then customize the settings as you wish.

Figure 14-11: Security Settings dialog box

Working with Zones

As you can see, IE’s security features work with different zones so that you can configure different security settings according to those zones. The settings you choose for each zone will depend on the security needs of your network, but there are some basic words of advice that you should heed.

For the Internet zone, the Medium setting is the best. It provides the best browsing functionality, but still has enough controls in place to keep the computer reasonably protected. You can, of course, customize the settings as needed, but as you are working with the Internet zone, it is a good idea to keep the highest security settings possible, but maintain good usage features. Low security settings may make browsing easier, but you are asking for problems. The opposite is also true: Settings that are too high are very secure, but they hinder browsing capabilities.

The default setting for the Local Intranet zone is Medium-Low. This setting allows you to use the intranet basically as you wish, but prohibits the use of unsigned ActiveX controls. In some cases, you may even want to use the Low setting, if you are certain all of the content on your intranet is safe. If it is, then the Low setting will not prevent any active content from running. If you select the Local Intranet icon on the Security tab, you can also click the Sites button and select or deselect a few other options, as shown here.

You can choose to include all local sites not listed in other zones, including all sites that bypass the proxy server and all network paths. The default setting enables all three of these options, and you should usually leave these enabled. You can also click the Advanced button and add web sites to this zone as well.

If you use a particular site often and you know that content from the site is safe, you can add the site to your Trusted Sites zone. The Trusted Sites zone is made up of sites that you deem trustworthy. When a site is added to the Trusted Sites list, then the Low security setting is used when that site is accessed. This allows you to use the site freely without any security restrictions. Of course, you should make absolutely certain that a site is trustworthy before adding it to your Trusted Sites zone; otherwise, you have no security protection from that site.

The Restricted Sites zone works like the Trusted Sites zone—except in reverse. Sites listed in the Restricted Sites zone are given the High security level in order to protect the computer from harmful content. You can select the Restricted Sites zone and click the Sites button in order to add sites to the zone that might expose harmful content.

Working with Privacy Settings

Privacy settings, which are a new feature in Internet Explorer 6, give you a way to manage cookies that are used by Internet Explorer. A cookie is a text file that is exchanged between your browser and a web site. Cookies contain personal information about you, such as your name, e-mail address, and even your surfing and access habits. Cookies are a great feature because they allow a web site to recognize you, remember what you have done at the site in the past, and in the case of online stores, remember what you have bought. The problem, though, comes back to security. If the cookie information gets in the wrong hands, you have just given someone personal information about you. That’s where the problem comes in—cookies personally identify you, and on the Internet, that can be a bad thing. Cookies account for many different kinds of privacy invasions, including a lot of the spam you probably receive in your e-mail inbox.

Internet Explorer 6 provides a collection of settings that can restrict and control cookies. These settings, when effectively used, can help safeguard your information but allow you to use sites that manage cookies in an appropriate manner. Previous versions of Internet Explorer allowed you to block all cookies or be prompted by them, but the use of these features is really impractical. If you activate the Block Cookie feature, you cannot even log on to some web sites, and because cookies are used so much, the Prompts option can drive your users to call you for help. Rather than employing the simple block feature, Internet Explorer 6 uses a standard called the Platform for Privacy Preferences (P3P), which enables Internet Explorer to inspect cookies, determine how they will be used, and then decide what to do about them. The feature is not perfect, but it does help control cookie usage and the user’s privacy. Before you configure privacy settings, there are a couple of concepts with which you should be familiar:

• Compact Privacy Statement  A compact privacy statement tells how cookies are used on the site and how long a particular cookie is used. When you access a web site, the compact privacy statement is contained in the HTTP header of the web site. Internet Explorer can read the compact privacy statement when you first access the site.

• First-Party Cookie  A first-party cookie is a cookie that is generated and used by the site you are currently viewing. First-party cookies contain information about you and your browser, and are commonly used to tailor site content to your needs. First-party cookies are commonly used on online store sites.

• Third-Party Cookie  A third-party cookie is used by a site other than the one that you are currently accessing, such as a banner advertisement. Third-party cookies can be a problem because you do not really know who is using them or what they will do with the personal information contained in the cookie.

• Session Cookie  A session cookie is generated during a single session with a web site, and then deleted once the session has ended. In many cases, you cannot use a web site unless a session cookie can be generated.

• Implicit and Explicit Consent  Implicit consent means that you have not blocked a site from using a cookie—in other words, you have not granted permission, but you have not denied it either. On the other hand, explicit consent means that you have acted to allow a web site to use or gain personal information about you.

Privacy settings are managed on the Privacy tab, shown in Figure 14-12. A slider bar option enables you to select a desired privacy setting.

Figure 14-12: Privacy settings

The standard privacy setting options that are available are as follows:

• Block All Cookies  All cookies are blocked. Web sites cannot generate any new cookies, and no existing cookies can be read. This setting will prevent access to some web sites.

• High No cookies that use personally identifiable information can be generated without your explicit consent. Web sites that do not have a compact privacy statement cannot generate cookies.

• Medium-High  First-party cookies that use personally identifiable information, which is information that identifies the user, are blocked without your implicit consent. Cookies are blocked from third-party web sites that do not have a compact privacy statement. Also, third-party cookies that use personally identifiable information are blocked without your explicit consent.

• Medium  First-party cookies that use personally identifiable information without your implicit consent are allowed, but they are deleted when you close Internet Explorer. Third-party cookies that use personally identifiable information without your implicit consent are blocked, as well as third-party cookies that do not have a compact privacy statement. The Medium setting is the default Internet Explorer setting.

• Low  The Low setting accepts all first-party cookies. Third-party cookies are blocked from sites that do not have a compact privacy statement. However, third-party cookies that use personally identifiable information are allowed without your implicit consent, but the cookies are deleted when you close Internet Explorer.

• Accept All Cookies  All new cookies are allowed, and all web sites can read existing cookies.

Clicking the Advanced button opens the Advanced Privacy Settings dialog box, shown in Figure 14-13. The Advanced Privacy Settings dialog box essentially allows you to override how cookies are handled for this particular zone. As you can see, you can choose to accept, block, or prompt for first- and third-party cookies, and you can also always allow session cookies. For some users, the automatic cookie-handling settings do not provide the right support. In this case, you can override these settings and choose how you want to handle all first- and third- party cookies at all sites, regardless of the compact privacy statement.

Figure 14-13: Advanced Privacy Settings dialog box

You usually should allow session cookies to be generated so that the web site can keep up with your surfing selections while you are there. Session cookies are typically harmless, and you may find that web surfing is hindered without them. You can try these advanced settings and see if they work for you.

If you choose to use automatic cookie handling, you can override the privacy settings for certain web sites. For example, suppose that a site that you regularly use contains first- and third-party cookies. However, the site does not have a compact privacy policy, and your current cookie settings prohibit the use of first-party cookies on sites with no compact privacy policy. Rather than changing your entire policy, you can simply create an exception for the web site.

On the Privacy tab, click the Edit button. The Per Site Privacy Actions dialog box, shown in Figure 14-14, appears. Simply enter the URL of the web site and click the Block or Allow button. Web sites that you have added appear in the Managed Web Sites list, which you can edit and change at any time.

Figure 14-14: Per Site Privacy Actions dialog box

Painful Lessons I’ve Learned: Keeping Things Simple

As with most things in the networking world, simplicity is the best option. Although cookie security is great and can be useful in a number of situations, be wary of configuring too many restrictions. Cookies are common and necessary on the Internet, and too many restrictions can cause many browsing problems for your users—which sends them screaming to you for help!