URL security zones

Internet Explorer has distinguished between different security zones for a couple of versions now, letting users and admins set a policy establishing a degree of trust for specific sites. Each URL security zone has a set of URL actions with a URL policy assigned to each action. The URL actions cover all operations that have security implications. A URL policy is assigned to each URL action to determine how that URL action will be handled.

That last sentence requires defining a few terms as Microsoft usesthem:- URL action is an action that a browser can take that might pose a security risk to the local computer. These include actions such as running a Java applet or an ActiveX control.

- URL policy is a policy that determines what permission or trust level is set for a particular URL action.

- URL security zone is a group of URL namespaces that are assigned an equal level of permission. or trust. Each URL action for the zone has an appropriate URL policy assigned to it that reflects the level of trust given to the URL namespaces in that zone.

Each security zone has a template associated with it that determines the default settings for a slew of permissions. You can see the list in IE 6.0 by selecting Tools and Internet Options, select the Security tab, and then click Custom Level.

The local intranet zone is used for content located on an intranet. Because the servers and information would be within a company's firewall, a user or company could assign a higher trust level to the content on the intranet. By default, the local intranet zone uses the Medium-Low Template. In Internet Explorer 4.0, the Local intranet zone used the Medium Template, since the Medium-Low template wasn't introduced until Internet Explorer 5.

The trusted sites zone is used for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet. Users can use this zone to assign a higher trust level to these sites to minimize the number of authentication requests. The URLs of these trusted Web sites would need to be mapped into this zone by the user. By default, the Trusted sites zone uses the Low Template.

The Internet zone is used for the Web sites on the Internet that do not belong to another zone, the rough and tumble world where unsafe code lurks. The default settings would cause the user to be prompted whenever potentially unsafe content was about to be downloaded. Web sites that are not mapped into other zones automatically fall into this zone, which, by default, uses the Medium Template.

The Restricted sites zone is used for Web sites that contain content that could cause, or could have previously caused, problems when downloaded. This zone could be used to cause the user to be prompted every time potentially unsafe content was about to be downloaded or to just completely prevent content from being downloaded. The URLs of these untrusted Web sites would need to be mapped into this zone by the user or by network policies. By default, the Restricted sites zone uses the High Template.

Finally, the Local Machine zone is an implicit zone that is used for content that exists on the user's computer. The content found on the user's computer, except for content cached by Internet Explorer on the local system, is treated with a high level of trust. This inherently assumes that once code is allowed to install itself on a local machine, it should be trusted in perpetuity. This is probably a reasonable assumption in the continuing balancing act between security and user convenience.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Microsoft

Show Comments