Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Internet Explorer enforces security rules for websites by grouping them into categories or “security zones”. Today we want to explain the changes to security zones you’ll see in IE7 so we should first clarify what the security rules are in IE6.

On the Security tab of Internet Options under the tools menu, you will see the Internet, Intranet, Trusted Sites and Restricted Sites zones. The rules for security zones control how each group of websites is allowed to interact with your computer. If you put a site in the Restricted sites zone, IE will prevent the site from using features like script and ActiveX controls. The Internet Zone contains sites where most people browse and is intended to safely handle script and ActiveX controls tokeep you, the user, in control of what websites can do; for example if a site is in the internet zone, IE will block pop-ups windows from that site. The Intranet zone is really designed for sites built by a network administrator. Network administrators, particularly in corporations, commonly need some freedom to interact with your computer. For example, if you have an intranet, you may notice that IE still allows pop-ups windows. Because a site that’s truly on your intranet is likely to be an important application, the pop-up windows are likely from your network admin rather than an advertisement pop-up that’s common on the Internet. If you add a site to “Trusted Sites” in IE6, you are removing most restrictions from the site, you are granting the site enough control to automatically install software on your computer and use script to communicate with other sites on your behalf. Another zone that you can’t see is called the My Computer Zone and also has few restrictions similar to the Trusted Sites zone. The My Computer Zone is locked down as of IE6 for XP SP2; the changes in IE7 continue our trend to run the browser with more secure default settings.

Because security zones allows more power to some websites, zones also open the possibility of zone-spoofing attacks: if there is a flaw in IE’s zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn’t happen. 

Despite the URL parsing improvements; our threat-models will continue to drive us to add defense-in-depth against Zone-spoofing threats. We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE. One of our interns this summer, Robert Liao, changed IE’s logic so that a Windows machine that is not on a managed corporate network will treat apparent Intranet sites as Internet. This change effectively removes the attack surface of the intranet zone for home PC users.

Of course, in enterprise IT networks, sites in the intranet zone have to just work exactly like they do today. IE7 will check if the machine has joined a domain. If a machine has joined a domain, as you would expect, IE7 will automatically detect intranet sites and run them with settings for the Intranet zone.

There will be cases where IE might not detect an enterprise IT network correctly. For example, a PC might be on a workgroup rather than a domain or it may not have joined the domain. For those cases, network admins will be able to set group policy on the settings for the Intranet to make sure that IE behaves as they wish. Even if the network admin can’t set policy, IE will show an information bar when visiting a probable intranet site. If a user wants to re-enable their intranetzone, they’ll be able to.

We are also increasing security for the Internet Zone and the Trusted sites zone. The Internet zone, where most users browse, will be tightened down with two very notable changes. The Internet zone will run in Protected Mode on Windows Vista which helps provide defense-in-depth against some of the attacks IE has faced in the past. ActiveX Opt-In will also help reduce the attack surface of ActiveX controls in the internet zone (this feature deserves its own post). IE7 introduces a new security level for these additional protections, Medium-high.

With the Trusted Sites zone in IE6, we find that many users don’t understand how powerful a site becomes when they make it a Trusted Site. For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user’s machine. As a safety precaution in IE7, we have set the default for the Trusted Sites zone to Medium, the same level as the Internet zone in IE6. Customers who depend on the IE6 level of the Trusted Sites zone will be able lower settings back to IE6 levels with the slider on the “Security” tab of “Internet Options” or through policy settings.

 - Vishu Gupta, Rob Franco and Venkat Kudulur

Comments

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Thanks! We were wondering what the infobar was trying to tell us when we ran our asset management system (prior to domain join) on current builds. It wasn't intuitive what "enable intranet settings" meant.

• Anonymous
  January 01, 2003
  I was just using the IE7 beta in standalone mode, and noticed that it blocks javascript confirm dialogs as popups. Is this part of the new "security" upgrades, or a bug in the popup blocker? Or a problem caused by running it in standalone mode?
  
  Thanks!

• Anonymous
  January 01, 2003
  Great info, I wish the other teams at MS were so forth coming with information.

• Anonymous
  January 01, 2003
  Why doesn't IE just scrap the zones entirely? Other browsers don't use them because they're confusing. If you allow one zone to be set at low security, then it's going to lead to cross-zone attacks like these:
  
  http://secunia.com/advisories/12889/
  http://secunia.com/advisories/11793/
  
  I won't be upgrading to Vista or using IE7 anywhere unless they change this.

• Anonymous
  January 01, 2003
  Is there in IE7 a difference between how Authenticode-signed .EXEs and unsigned .EXEs are treated from the user's point of view? We tend to supply our software as a signed downloadable .EXE installer, but I can't see any difference in behaviour in IE5/IE6 between whether it's signed or not. Perhaps, though, this is a matter of the zone I've assigned to the download site.

• Anonymous
  January 01, 2003
  Dump ActiveX... Eolas keeps telling you to.

• Anonymous
  January 01, 2003
  All these different zones are nice but why not have an OS that use groups and permissions correctly...? No other browser worries about security zones... Why does IE have to...?

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  "Because ActiveX controls (and plug-ins) are useful for so many websites, but carry the potential for harm, my Internet Zone is set to prompt for ActiveX controls. I have long wished that the prompt message would give me more detail as to the type of control/plug-in/content being invoked.... can I have a little power, please?"
  
  Well, it sounds like you are running IE the same way I used to, and frankly you are exactly the type of user we had in mind when we designed and implemented the "Manage Add-on's" feature in XPSP2 and IE7. This feature effectively lists every bit of binary extensibility ever loaded in the browser, complete with GUID, publisher (if known), binary name, etc., and allows the user complete control of which extensibility is enabled. Give it a go and let me know if it isn't what you were looking for; I know it makes a world of difference to me.
  
  -- John

• Anonymous
  January 01, 2003
  <<I won't be upgrading to Vista or using IE7 anywhere unless they change this.>>
  
  If you really want a Zone-less IE, this is simple enough to get IE to behave as if Zones don't exist. Simple set your security settings for each zone to the same value, and zones are then irrelevant.
  
  <<All these different zones are nice but why not have an OS that use groups and permissions correctly...?>>
  
  I'm not sure I understand your question. What OS do you feel "uses groups and permissions correctly"? Zones essentially ~are~ a mechanism for creating security groups and assigning them permissions. Or are you suggesting that Windows' permission model should be extended to apply to websites?
  
  (As for the suggestion that other browsers don't support Zones: As far as I know, Zones basically do exist in many browsers that support chrome extensibility. They are used to prevent remote sites from manipulating local browser chrome, an privilege which is restricted to content on the local machine.)
  

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  <<I browse to an SMB share on my network, the status bar dutifully reports that it's in the "Local Intranet" zone. Presumably this won't be affected? >>
  
  Actually, the zones used by the shell match IE's zones, so this would show as Internet.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Windows security will stop being a sad farce the day Windows stops looking at filenames to figure out what to do with the file. Particularly for executable formats.

• Anonymous
  January 01, 2003
  "Powerful add-ons like ActiveX controls are part of what make browsing such a rich experience but any extensibility can also introduce threats to browser security."
  
  To think it only took 15 years to figure that out, now all you need to do is realize how big a threat they are and deal with them effectively, so IE 8 in 2030 will be great, really looking forward to that ;)

• Anonymous
  January 01, 2003
  << I don't have any idea what it would mean to apply zone restrictions to a file share >>
  
  The only interesting side-effect I've seen is that you are now prompted before running unsigned executables from the SMB share.

• Anonymous
  January 01, 2003
  How will your customers who don't run Windows AD and group policies be impacted? For example, there are large numbers of Windows clients on Novell Netware networks running in workgroup mode.
  
  What will happen when IE7 suddenly kills their Intranet sites?
  
  Not suggesting you change the planned behaviour, just trying to inject some reality - it's not an all-Microsoft world out there yet.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Will the new IE7 be able to block all websites and only allow ones I want?
  I just want to protect my kids.
  thanks

• Anonymous
  January 01, 2003
  "How will your customers who don't run Windows AD and group policies be impacted? For example, there are large numbers of Windows clients on Novell Netware networks running in workgroup mode.
  
  What will happen when IE7 suddenly kills their Intranet sites?"
  
  "Suddenly kills" is a bit of an exaggeration. Hopefully these companies tested IE7 on their web apps to see what happens, and came up with a strategy to handle it, prior to deploying it. (That takes the "suddenly" out of the sentence.)
  
  The strategy is making changes to "settings for the Intranet to make sure that IE behaves as they wish" as mentioned in the article. If the company isn't/can't use group policy, hopefully they have some other management software that can deploy registry settings to all the computers in their network.

• Anonymous
  January 01, 2003
  texastig: If you have Windows Vista, you can make use of Windows Parental Controls (mentioned here: http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx). On XP, you can use the existing Content Ratings feature carried over from XP.
  
  PatriotB: Yup, in most Novell deployments I've seen, login scripts are used to manage registry keys controlling enterprise-wide policies.
  
  ShadowChaser: IE7 will resolve the issue that submitting a webform changes you to the "Custom" security template for a given zone. We're also introducing a new feature which will explicitly note when you have insecure settings in INETCPL.

• Anonymous
  January 01, 2003
  I don't know what to say, except... I'm not getting a warm fuzzy. But then I've never really understood what you guys were thinking when you came up with the existing security zone architecture. Why a fixed number of zones, special cases, hidden zones, expecting users to duplicate settings in multiple zones, etc?
  
  Say a user wanted to run with the same privledges across the board. Shouldn't they be able to configure one and only one zone, named whatever they want... "Default Zone" lets say... and maintain their settings in just one place?
  
  A sound approach is to make default permissions appropriately restrictive, and then grant them on an as-needed basis. That approach requires support for creating any number of custom access levels, or zones in this case. How can users do that?
  
  There shouldn't be hidden zones which are tweaked via obscure registry keys. Having a local, my computer zone makes sense, but it should be visible and have an interface. Having the default settings for that zone be tight makes sense, but it also makes sense for there to at least be a way to relax restrictions on pages in certain directories. Can that be done?
  
  All these mechanisms to protect one's computer and self... shouldn't the user have the ability to configure a Prohibited Sites zone?
  

• Anonymous
  January 01, 2003
  PatriotB: OK, "suddenly kills" was a bit harsh :)
  
  There are lots of tools to emulate "group policies" on non-AD networks, including reg files, tools such as Novell Zenworks, etc.
  
  The point, however was that IE7 will behave differently on a Microsoft Windows domain than it will on a non-Microsoft server infrastructure. This imposes an extra burden on companies (Microsoft client OS customers) using a competitor's back-end products, rather than Windows Server and AD.
  
  IE7 will naturally and fairly quickly become a "required" update for security and standards reasons. This is good.
  
  However, certain changes in behaviour could delay organizations from upgrading. This is bad.
  
  If there are specific reasons or bugs for not using the current intranet detection logic to provide a consistent experience going from IE6 to IE7, then it should still be possible to rectify this without changing the end-user experience.
  
  The case for changing the Windows XP Home behaviour is definitely much more pronounced than the behaviour of XP Pro in a non-AD environment.
  
  

• Anonymous
  January 01, 2003
  <<If there are specific reasons or bugs for not using the current intranet detection logic to provide a consistent experience going from IE6 to IE7, then it should still be possible to rectify this without changing the end-user experience.>>
  
  I think you might be confused. IE6 doesn't "detect" the Intranet zone; it's on whether you need it or not.

• Anonymous
  January 01, 2003
  <<If there are specific reasons or bugs for not using the current intranet detection logic to provide a consistent experience going from IE6 to IE7, then it should still be possible to rectify this without changing the end-user experience.>>
  
  I think you might be confused. IE6 doesn't "detect" the Intranet zone; it's on whether you need it or not.

• Anonymous
  January 01, 2003
  Me:
  Excellent! You picked a new icon!
  Can you fix alpha channel display transparency errors in IE 6's PNG display now?
  
  Chris:
  Fred Vorck, please stick to the subject. They told us months ago that the PNG bug will be fixed.
  Here's the link: http://blogs.msdn.com/ie/archive/2005/07/29/445242.aspx
  
  ----
  
  Chris, if you don't bug the IE team about things constantly in all sorts of contexts, it won't get done.
  Also, no one ever told us that PNG transparency would be fixed in IE 6. Six. The number before seven and after five, etc etc. It is not unreasonable to ask that some features from IE7 make it into 6.
  It's all about sorting what users value and what they don't (FIX SIX FIX SIX FIX SIX). They're obviously not listening, Chris.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  November 16, 2006
  PingBack from http://www.vexentricity.com/?p=60

• Anonymous
  January 09, 2008
  PingBack from http://www.vistadownload.org/ie7/new-security-zone-controls-in-ie7.html

• Anonymous
  July 02, 2008
  PingBack from http://internetexplorerblog.info/?p=145

• Anonymous
  July 11, 2008
  PingBack from http://shayna.yourvidsdigest.info/cannotopenemailusinginternetexplorerwindowsxp.html

• Anonymous
  March 16, 2009
  안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을 포스팅했었죠. 오늘

• Anonymous
  May 29, 2009
  PingBack from http://paidsurveyshub.info/story.php?title=ieblog-dude-where-s-my-intranet-zone-and-more-about-the

• Anonymous
  May 31, 2009
  PingBack from http://woodtvstand.info/story.php?id=6619

• Anonymous
  June 08, 2009
  PingBack from http://quickdietsite.info/story.php?id=12371

• Anonymous
  June 16, 2009
  PingBack from http://lowcostcarinsurances.info/story.php?id=6883