Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)


Internet Explorer enforces security rules for websites by grouping them into categories or “security zones”. Today we want to explain the changes to security zones you’ll see in IE7 so we should first clarify what the security rules are in IE6.

On the Security tab of Internet Options under the tools menu, you will see the Internet, Intranet, Trusted Sites and Restricted Sites zones. The rules for security zones control how each group of websites is allowed to interact with your computer. If you put a site in the Restricted sites zone, IE will prevent the site from using features like script and ActiveX controls. The Internet Zone contains sites where most people browse and is intended to safely handle script and ActiveX controls to keep you, the user, in control of what websites can do; for example if a site is in the internet zone, IE will block pop-ups windows from that site. The Intranet zone is really designed for sites built by a network administrator. Network administrators, particularly in corporations, commonly need some freedom to interact with your computer. For example, if you have an intranet, you may notice that IE still allows pop-ups windows. Because a site that’s truly on your intranet is likely to be an important application, the pop-up windows are likely from your network admin rather than an advertisement pop-up that’s common on the Internet. If you add a site to “Trusted Sites” in IE6, you are removing most restrictions from the site, you are granting the site enough control to automatically install software on your computer and use script to communicate with other sites on your behalf. Another zone that you can’t see is called the My Computer Zone and also has few restrictions similar to the Trusted Sites zone. The My Computer Zone is locked down as of IE6 for XP SP2; the changes in IE7 continue our trend to run the browser with more secure default settings.

Because security zones allows more power to some websites, zones also open the possibility of zone-spoofing attacks: if there is a flaw in IE’s zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn’t happen. 

Despite the URL parsing improvements; our threat-models will continue to drive us to add defense-in-depth against Zone-spoofing threats. We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE. One of our interns this summer, Robert Liao, changed IE’s logic so that a Windows machine that is not on a managed corporate network will treat apparent Intranet sites as Internet. This change effectively removes the attack surface of the intranet zone for home PC users.

Of course, in enterprise IT networks, sites in the intranet zone have to just work exactly like they do today. IE7 will check if the machine has joined a domain. If a machine has joined a domain, as you would expect, IE7 will automatically detect intranet sites and run them with settings for the Intranet zone.

There will be cases where IE might not detect an enterprise IT network correctly. For example, a PC might be on a workgroup rather than a domain or it may not have joined the domain. For those cases, network admins will be able to set group policy on the settings for the Intranet to make sure that IE behaves as they wish. Even if the network admin can’t set policy, IE will show an information bar when visiting a probable intranet site. If a user wants to re-enable their intranet zone, they’ll be able to.

We are also increasing security for the Internet Zone and the Trusted sites zone. The Internet zone, where most users browse, will be tightened down with two very notable changes. The Internet zone will run in Protected Mode on Windows Vista which helps provide defense-in-depth against some of the attacks IE has faced in the past. ActiveX Opt-In will also help reduce the attack surface of ActiveX controls in the internet zone (this feature deserves its own post). IE7 introduces a new security level for these additional protections, Medium-high.

With the Trusted Sites zone in IE6, we find that many users don’t understand how powerful a site becomes when they make it a Trusted Site. For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user’s machine. As a safety precaution in IE7, we have set the default for the Trusted Sites zone to Medium, the same level as the Internet zone in IE6. Customers who depend on the IE6 level of the Trusted Sites zone will be able lower settings back to IE6 levels with the slider on the “Security” tab of “Internet Options” or through policy settings.

 – Vishu Gupta, Rob Franco and Venkat Kudulur

Comments (40)

  1. Anonymous says:

    texastig: If you have Windows Vista, you can make use of Windows Parental Controls (mentioned here: http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx). On XP, you can use the existing Content Ratings feature carried over from XP.

    PatriotB: Yup, in most Novell deployments I’ve seen, login scripts are used to manage registry keys controlling enterprise-wide policies.

    ShadowChaser: IE7 will resolve the issue that submitting a webform changes you to the "Custom" security template for a given zone. We’re also introducing a new feature which will explicitly note when you have insecure settings in INETCPL.

  2. Anonymous says:

    I don’t know what to say, except… I’m not getting a warm fuzzy. But then I’ve never really understood what you guys were thinking when you came up with the existing security zone architecture. Why a fixed number of zones, special cases, hidden zones, expecting users to duplicate settings in multiple zones, etc?

    Say a user wanted to run with the same privledges across the board. Shouldn’t they be able to configure one and only one zone, named whatever they want… "Default Zone" lets say… and maintain their settings in just one place?

    A sound approach is to make default permissions appropriately restrictive, and then grant them on an as-needed basis. That approach requires support for creating any number of custom access levels, or zones in this case. How can users do that?

    There shouldn’t be hidden zones which are tweaked via obscure registry keys. Having a local, my computer zone makes sense, but it should be visible and have an interface. Having the default settings for that zone be tight makes sense, but it also makes sense for there to at least be a way to relax restrictions on pages in certain directories. Can that be done?

    All these mechanisms to protect one’s computer and self… shouldn’t the user have the ability to configure a Prohibited Sites zone?

  3. Anonymous says:

    PatriotB: OK, "suddenly kills" was a bit harsh :)

    There are lots of tools to emulate "group policies" on non-AD networks, including reg files, tools such as Novell Zenworks, etc.

    The point, however was that IE7 will behave differently on a Microsoft Windows domain than it will on a non-Microsoft server infrastructure. This imposes an extra burden on companies (Microsoft client OS customers) using a competitor’s back-end products, rather than Windows Server and AD.

    IE7 will naturally and fairly quickly become a "required" update for security and standards reasons. This is good.

    However, certain changes in behaviour could delay organizations from upgrading. This is bad.

    If there are specific reasons or bugs for not using the current intranet detection logic to provide a consistent experience going from IE6 to IE7, then it should still be possible to rectify this without changing the end-user experience.

    The case for changing the Windows XP Home behaviour is definitely much more pronounced than the behaviour of XP Pro in a non-AD environment.

  4. Anonymous says:

    <<If there are specific reasons or bugs for not using the current intranet detection logic to provide a consistent experience going from IE6 to IE7, then it should still be possible to rectify this without changing the end-user experience.>>

    I think you might be confused. IE6 doesn’t "detect" the Intranet zone; it’s on whether you need it or not.

  5. Anonymous says:

    <<If there are specific reasons or bugs for not using the current intranet detection logic to provide a consistent experience going from IE6 to IE7, then it should still be possible to rectify this without changing the end-user experience.>>

    I think you might be confused. IE6 doesn’t "detect" the Intranet zone; it’s on whether you need it or not.

  6. Anonymous says:

    Me:

    Excellent! You picked a new icon!

    Can you fix alpha channel display transparency errors in IE 6’s PNG display now?

    Chris:

    Fred Vorck, please stick to the subject. They told us months ago that the PNG bug will be fixed.

    Here’s the link: http://blogs.msdn.com/ie/archive/2005/07/29/445242.aspx

    —-

    Chris, if you don’t bug the IE team about things constantly in all sorts of contexts, it won’t get done.

    Also, no one ever told us that PNG transparency would be fixed in IE 6. Six. The number before seven and after five, etc etc. It is not unreasonable to ask that some features from IE7 make it into 6.

    It’s all about sorting what users value and what they don’t (FIX SIX FIX SIX FIX SIX). They’re obviously not listening, Chris.

  7. Anonymous says:

    This sort of relates to IE Security….

    Because ActiveX controls (and plug-ins) are useful for so many websites, but carry the potential for harm, my Internet Zone is set to prompt for ActiveX controls. I have long wished that the prompt message would give me more detail as to the type of control/plug-in/content being invoked. As it is, every control/plug-in, whether Acrobat Reader, Flash, or lethal-malware gives the same question: "Do you want to allow software such as ActiveX controls and plug-ins to run?" The choices are yes or no–sometimes my answer is "tell me more" but I have to make my best guess.

    In addition, I would like to be able to specify individual plug-ins and ActiveX controls as always trust, never trust, or prompt. I may always trust Acrobat Reader, but never trust another control/plug-in.

    Information is power; can I have a little power, please? Thanks

  8. Anonymous says:

    Thanks! We were wondering what the infobar was trying to tell us when we ran our asset management system (prior to domain join) on current builds. It wasn’t intuitive what "enable intranet settings" meant.

  9. Anonymous says:

    I was just using the IE7 beta in standalone mode, and noticed that it blocks javascript confirm dialogs as popups. Is this part of the new "security" upgrades, or a bug in the popup blocker? Or a problem caused by running it in standalone mode?

    Thanks!

  10. Anonymous says:

    Great info, I wish the other teams at MS were so forth coming with information.

  11. Anonymous says:

    Why doesn’t IE just scrap the zones entirely? Other browsers don’t use them because they’re confusing. If you allow one zone to be set at low security, then it’s going to lead to cross-zone attacks like these:

    http://secunia.com/advisories/12889/

    http://secunia.com/advisories/11793/

    I won’t be upgrading to Vista or using IE7 anywhere unless they change this.

  12. Universalis says:

    Is there in IE7 a difference between how Authenticode-signed .EXEs and unsigned .EXEs are treated from the user’s point of view? We tend to supply our software as a signed downloadable .EXE installer, but I can’t see any difference in behaviour in IE5/IE6 between whether it’s signed or not. Perhaps, though, this is a matter of the zone I’ve assigned to the download site.

  13. Anonymous says:

    Dump ActiveX… Eolas keeps telling you to.

  14. Anonymous says:

    All these different zones are nice but why not have an OS that use groups and permissions correctly…? No other browser worries about security zones… Why does IE have to…?

  15. Anonymous says:

    I like the zones and if someone doesnot know, how to use them, then he doesnot need to use them at all. I have restricted zone at high as well as internet, but thanks to IE-SpyAD I know, that if the site is restricted. Since I do not use a realtime antispyware, IE-SpyAD helps me to identify the "bad" sites.

  16. Anonymous says:

    "Because ActiveX controls (and plug-ins) are useful for so many websites, but carry the potential for harm, my Internet Zone is set to prompt for ActiveX controls. I have long wished that the prompt message would give me more detail as to the type of control/plug-in/content being invoked…. can I have a little power, please?"

    Well, it sounds like you are running IE the same way I used to, and frankly you are exactly the type of user we had in mind when we designed and implemented the "Manage Add-on’s" feature in XPSP2 and IE7. This feature effectively lists every bit of binary extensibility ever loaded in the browser, complete with GUID, publisher (if known), binary name, etc., and allows the user complete control of which extensibility is enabled. Give it a go and let me know if it isn’t what you were looking for; I know it makes a world of difference to me.

    – John

  17. Anonymous says:

    <<I won’t be upgrading to Vista or using IE7 anywhere unless they change this.>>

    If you really want a Zone-less IE, this is simple enough to get IE to behave as if Zones don’t exist. Simple set your security settings for each zone to the same value, and zones are then irrelevant.

    <<All these different zones are nice but why not have an OS that use groups and permissions correctly…?>>

    I’m not sure I understand your question. What OS do you feel "uses groups and permissions correctly"? Zones essentially ~are~ a mechanism for creating security groups and assigning them permissions. Or are you suggesting that Windows’ permission model should be extended to apply to websites?

    (As for the suggestion that other browsers don’t support Zones: As far as I know, Zones basically do exist in many browsers that support chrome extensibility. They are used to prevent remote sites from manipulating local browser chrome, an privilege which is restricted to content on the local machine.)

  18. PatriotB says:

    Couple questions…

    1. Is it correct to assume that the lockdown of the intranet zone on non-domain computers applies to localhost as well?

    2. Since you brought up the popup blocker… can we get a response to the issue of popups being allowed via "HTML Document" and "DHTML Edit Control Safe for Scripting" ActiveX controls? Is this a "by design", "will fix", "fixed in IE7" etc? I hope it’s not by design; I’d rather not have to block the DHTML control altogether just to block popups. (I have already blocked HTML Document with no negative side-effects). Personally, I think these should be fixed for IE6 SP2 as well as IE7.

    And a comment: I really like how the security settings are tied in to the Security Center on Vista 5231. Immediately upon changing a single setting to a less-secure setting, the Security Center chimed in saying the PC is at risk. This is a good thing and should help users keep the somewhat-complex IE security settings set to safe values. (Also, it would be great if 3rd-party apps could integrate into the security center this way. Of course that opens up the door to abuse, so maybe it’s not such a good idea ;-))

  19. Anonymous says:

    Managing IE in a enterprise network is today hell – what about a new IEAK?

  20. Anonymous says:

    Hi, thanks for taking the time to publish your plans in an informative article. I had some questions.

    I am wondering why domain administrators aren’t expected to configure trusted sites themselves, via group policy. If they must do so for workgroup computers, and must manage the intranet servers themselves, it doesn’t seem like a great stretch.

    On the other hand, why was it important to remove detection of the intranet zone for home users, rather than increase the default settings to be identical to the internet zone and maybe show a scary confirmation message with three variously phrased cancel buttons, a checkbox and a small ok button on any attempt to change it?

    On the subject of zones, I’ve always been confused by the use-case for the Restricted Sites zone. When is this used? Surely, users aren’t expected to add sites to it before browsing to them. Is it mostly useless? Is it only for use by Outlook and similar hosts that explicitly request it? How does it differ from the new protected mode?

    This might make me sound pretty stupid, but let me explain why I’m having difficulty understanding. IE7 seems to have the following zones:

    * The local machine zone. Same as internet, following XPSP2 lockdown. Can’t be configured anyway.

    * The local intranet zone. In IE7, it might as well be the same as the internet zone.

    * The internet zone. The default for anything that isn’t in an equivalent zone.

    In other words, this elaborate scheme seems entirely superfluous to the outsider, yet is a source of risk by your own assessment. Consequently, we’re to be left with the coarse-grained whitelisting and blacklisting features that masquerade as the trusted sites and restricted sites zones.

    I was also interested in clarification between IE’s notion of zones and the shell’s: when I browse to an SMB share on my network, the status bar dutifully reports that it’s in the "Local Intranet" zone. Presumably this won’t be affected?

    Overall, I’m glad to see the change. I’ve never really trusted the Local Intranet zone because I don’t understand what it does for laptops, the site options for the zone like "Include all UNC paths" are seemingly empty of meaning, and in general it doesn’t make sense to make security decisions without being able to confirm a site’s identity… and who runs SSL web servers at home?

    (I’m using a different browser, of course. It has a very fine-grained CAPS feature, and doesn’t attempt to guess what permissions I would grant the site. Oh, and fewer exploits are written for it, for whatever reason).

  21. Anonymous says:

    I can see the value of zones, but when working as a home user I don’t think I have enough choice. I would rather not trust most sites by default, and if I want to use the functionality of that site fully I would move it into a My Sites zone for example. How this contrasts to what we have currently is I could have an arbitary set of zones with different permissions (with the most restrictive one as default). My ‘my sites’ user definable zone might allow Flash and JavaScript etc.

    On another matter entirely I have been watching quite a few of the PDC videos and they all sit in the same directory. I get the are you sure you want to run script everytime I start one and can’t add that directory to be trusted (I guess because it’s from my computer).

    My emphisis of this comment is I would like to lockdown as much as I can and open up when necessary, but opening up doesn’t mean giving a full range of permissions because one site in that zone might require it.

  22. Anonymous says:

    <<I browse to an SMB share on my network, the status bar dutifully reports that it’s in the "Local Intranet" zone. Presumably this won’t be affected? >>

    Actually, the zones used by the shell match IE’s zones, so this would show as Internet.

  23. Anonymous says:

    Eric, Explorer’s zone currently does match IE6’s. If you read carefully, I didn’t suggest otherwise. I assume that will continue, but will changing that zone from the local intranet zone to the internet zone have consequences?

    Maybe that sounds like a foolish question to you. After all, I don’t have any idea what it would mean to apply zone restrictions to a file share (I notice that file preview still works, along with various other shell extensions). On the other hand, to outsiders, the zone system was seemingly dreamt up and is preserved by crack addicts and its very principle seems contrary to secure design, so as a customer (of your operating system and some embedding applications), I need to understand how it will affect me and how to work around it as best as possible.

  24. Anonymous says:

    Ok – Why would they go back – and remake six, to support png transparency (which barely existend when the core of the current IE was made) – when they have a product it works in? Not to mention, a product that more or less give a away for free? People want to complain about prices, then they want to complain that Microsoft doesnt do everything in the world – for free I guess.

    —-

    Anyway – really wanted to echo the comments a few up – what we honestly need is everything set to restricted by default, and an easy to get to button on the toolbar to toggle it to trusted. I know many may disagree – but I see no use for more than two zones – (if you allow user initiated downloads from the default restricted that is) – either you trust the site, or you dont know if you trust the site – so you shouldnt take em out of restricted.

    I honestly think a system like that would basically kill off the BS. At the same time, that would allow developers to fully use the the toys that IE has that really sets it apart from any other browser. Its those things that we can not use on the web that really keeps me liking IE, with the hopes that someday – maybe, I can have them back :)

    I do not even think the most easily confused user would have difficulty with such a system – any "bad" site they would be limited to html only to try to trick someone – and thats gonna be difficult, and to really ensure no problems – you could easily addin to the current anti spoofing system a simple counter – how many people have this site trusted, how many people do not – which would make it really simple for someone that doesnt have a clue – if 4,353 say bad – and 1 says good – pretty obvious. That would also be in keeping with the general idea of people helping people – one simple action, done thousands of people, provides an instant answer of if this is a site to be trusted or not.

    We in so many ways are going sideways, if not backwards, on the web – while trying to pretend to be going forward. Everyday – more and more of what we can do as developers, and in turn as users, has to be restricted. I can see the day coming down the road where we are back to Text only webpages being the only safe way to go – any form of binary file will always have the potential to do something other than intended. The net really needs to start mirroring the real world and browsers need to stop trying to be a babysitter. – they do need to do what we expect though –

    In the real world – you go down to some sleazy bar, and start flashing a handful of hundreds around – and bad things happen to you – pretty much everyone you tell about it is going to ask, "What did you expect?" Most people know better than to try to walk across the Autobahn, most people know it would be dumb to go stand in front of the local cop shop and moon every cop that walks out – the net has to get to the point where we treat it the same – where you, the user, has to just not do the dumb thing – if you do, well – nobody is going to feel to sorry for the idiot that was mooning the cops, and they make think its tragic that you decided to walk across the bahn, but everyone is going to consider it your fault you just got hit by that Porche going 190.

    Really – I am just getting tired of the fact that we are allowing a handful of people in the world, control what we can and can not do.

  25. Anonymous says:

    Windows security will stop being a sad farce the day Windows stops looking at filenames to figure out what to do with the file. Particularly for executable formats.

  26. Anonymous says:

    "Powerful add-ons like ActiveX controls are part of what make browsing such a rich experience but any extensibility can also introduce threats to browser security."

    To think it only took 15 years to figure that out, now all you need to do is realize how big a threat they are and deal with them effectively, so IE 8 in 2030 will be great, really looking forward to that ;)

  27. Anonymous says:

    << I don’t have any idea what it would mean to apply zone restrictions to a file share >>

    The only interesting side-effect I’ve seen is that you are now prompted before running unsigned executables from the SMB share.

  28. Anonymous says:

    How will your customers who don’t run Windows AD and group policies be impacted? For example, there are large numbers of Windows clients on Novell Netware networks running in workgroup mode.

    What will happen when IE7 suddenly kills their Intranet sites?

    Not suggesting you change the planned behaviour, just trying to inject some reality – it’s not an all-Microsoft world out there yet.

  29. Anonymous says:

    The zone improvements seem good, but what happens the second I submit a web form?

    In all other versions of IE, I get dropped into the "mystery" Custom zone, causing other security apps (like MBSA) to report me as being unsecure.

    This comment is really ugly:

    "Windows machine that is not on a managed corporate network will treat apparent Intranet sites as Internet."

    "Of course, in enterprise IT networks, sites in the intranet zone have to just work exactly like they do today. IE7 will check if the machine has joined a domain. If a machine has joined a domain, as you would expect, IE7 will automatically detect intranet sites and run them with settings for the Intranet zone."

    Yes, that’s exactially what I would expect – Microsoft abusing their desktop monopoly yet again.

    At every excuse you can get you lock people into your server product. People running J2EE? Apache? Oh they must be insecure, given that they are competing products. Not a domain member? Oh that means they aren’t generating extra revenue for Microsoft, lets treat them like second class citizens.

    I fail to see how this is any more secure than the old model. Traffic in the private network IP blocks are not routable over the public Internet. A rogue web server running on a domain member is no more secure than a legitimate web server running on a non-Windows or non-domain member.

    I’m generally a big supporter of Microsoft in my office, but this is completely inexcusable. Internet Explorer holds a virtual stranglehold over the Intranet/Corporate market – Firefox and other alternative browsers haven’t been able to touch it.

    I imagine once you have finished pissing off every single company running a mixed-environment, they’ll re-evaluate their IE investment.

  30. Anonymous says:

    Will the new IE7 be able to block all websites and only allow ones I want?

    I just want to protect my kids.

    thanks

  31. PatriotB says:

    "How will your customers who don’t run Windows AD and group policies be impacted? For example, there are large numbers of Windows clients on Novell Netware networks running in workgroup mode.

    What will happen when IE7 suddenly kills their Intranet sites?"

    "Suddenly kills" is a bit of an exaggeration. Hopefully these companies tested IE7 on their web apps to see what happens, and came up with a strategy to handle it, prior to deploying it. (That takes the "suddenly" out of the sentence.)

    The strategy is making changes to "settings for the Intranet to make sure that IE behaves as they wish" as mentioned in the article. If the company isn’t/can’t use group policy, hopefully they have some other management software that can deploy registry settings to all the computers in their network.

  32. 안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을 포스팅했었죠. 오늘