In Part 1 of this series, I described the security zones in Microsoft Internet Explorer (IE) 5.0. Here, in Part 2, I'll show you how to configure the security settings for each zone. In the final part of this series, I'll explain how to use create rules in Active Directory (AD) to centrally and consistently configure these IE security settings for all users in your domain according to each type of user.
Custom Level Security Settings
To view IE's preconfigured settings, open IE, select Tools, Internet Options, and select the Security tab, as Figure 1 shows. IE has four zones: Internet, Local intranet, Trusted sites, and Restricted sites. Each zone has a preset level of security—Low, Medium-low, Medium, and High. To view IE’s actual security settings for a particular zone, click Custom Level, which displays the Security Settings dialog box, as Figure 2 shows. Almost all of the categories for these settings have the same three choices: disable, enable, and prompt. If you disable the policy, users can't perform the operation; enable it, and they can. If you select prompt, IE displays a warning dialog box each time the users try the operation, letting them make the security decision on a case-by-case basis. I recommend that you select this option only for conscientious, Internet security-savvy users who can make informed decisions. For other users, the prompt option can become a nuisance dialog box that they will click through without thinking; seeing the warning box can also cause users to make countless calls to your Help desk.
ActiveX control and plug-ins
The first of the security categories, ActiveX controls and plug-ins, provides policies that you can use to control whether users can download and execute ActiveX controls referenced by Web pages in the current content zone. Web developers can embed ActiveX controls in Web pages to provide highly functional and interactive applications that typically wouldn’t be available to a user through Java. (For example, Microsoft Windows Media Player—WMP, Macromedia Shockwave, and RealNetworks RealPlayer are popular controls for multimedia sites.) With Java applets, you can implement very granular security control (e.g., whether the applet can access files on the local computer), but with ActiveX, you can only specify whether the control executes. An enabled ActiveX control can access all resources on the computer including files and folders.
Download signed ActiveX controls and plug-ins and Download unsigned ActiveX controls and plug-ins. The first two policies under ActiveX controls and plug-ins are Download signed ActiveX controls and plug-ins and Download unsigned ActiveX controls and plug-ins. These two policies control whether users can download controls referenced on Web pages in the current zone, and let you prevent users from installing a new control depending on whether the control is signed or unsigned.
A signed control lets you use a certificate to verify who developed the control. You can use this setting along with the settings under Tools, Internet Options, Content to specify that users can download controls only from publishers you trust. If you select prompt, IE displays a warning dialog box each time the user tries to download a signed control, unless a trusted publisher has signed it. If you select enable, IE lets users download any signed control, regardless of who is the publisher. If you select enable or prompt, IE always warns the users if the signature isn’t valid (e.g., if the publisher’s certificate has expired). Download unsigned ActiveX controls and plug-ins works the same as its signed counterpart, but this policy applies to controls with no signature.
Run ActiveX controls and plug-ins. You can use the Run ActiveX controls and plug-ins policy to decide whether users can run a control when a Web page includes a link (e.g., the top movie trailer links at http://www.real.com). Enable, disable, and prompt work the same way as they do in the other categories. If you select "Administrator approved," you can use the User Configuration, Administrative Templates, Internet Explorer, Administrator Approved Controls section of Group Policy Objects (GPOs) to specify a list of controls that you will let users run.
Script ActiveX controls marked safe for scripting and Initialize and script ActiveX controls not marked as safe. IE's security settings for ActiveX controls include two policies to control whether client-side scripts embedded in Web pages can use ActiveX controls (e.g., go to http://www.cnn.com to see video clips that open by a Java script). You can specify enable, disable, and prompt for both policies. ActiveX is a software component reuse technology that isn’t limited to Web page content, and some ActiveX controls are designed for non-Web-based applications that aren't intended for use from Web pages. Developers shouldn't mark any control as safe for scripting that might perform dangerous functions in the context of a Web page (e.g., access the local drive).
Securing IE's ActiveX Controls
How should you configure these ActiveX settings? I recommend disabling downloads of both signed and unsigned controls except for sophisticated power users; otherwise, anyone can install unauthorized and potentially dangerous software on computers within your trusted network. Because I frequently come across Web sites that use controls whose certificates have expired, I haven’t found much value in specifying different policies for signed or unsigned controls. The defect in the safe for scripting setting is that you trust the developer to conscientiously mark the control properly; however, sometimes developers neglect to properly configure this property. Additionally, because it's so difficult to write secure code, a malicious attacker can often trick controls that don’t contain potentially dangerous logic into performing malicious operations through buffer overflows or unchecked input parameters. Consequently, enabling ActiveX at all is a risky proposition. For maximum safety, I disable all ActiveX settings in the Internet zone for typical users. For power users who depend on full Internet access, I enable the ActiveX settings. Although basic users who don’t access a lot of multimedia content might not mind disabled ActiveX settings, you'll no doubt hear complaints from users who regularly watch news clips and other multimedia content. If there are a few news or investor-related Web sites that your typical users access, you can add these sites to the Trusted sites zone and enable ActiveX functionality for that zone.