Microsoft revamps browser security zones

Microsoft has detailed some significant changes in Internet Explorer 7's "security zones" that it claims will eliminate some of the browser's most notorious vulnerabilities.

Security zones are groupings of sites that give them different levels of access to the local system. The zoning system has been an achilles heel for Explorer in the past, with malicious sites able to gain access to the user's system by tricking the browser.

Microsoft's Vishu Gupta, Rob Franco and Venkat Kudulur, writing on the official IE Blog last week, said improvements such as URL parsing in Windows XP SP2 and Explorer 7 have been designed to limit such vulnerabilities. "If there is a flaw in IE's zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in," they wrote.

The changes to the zoning system are designed to reinforce these improvements by making the zones themselves less permissive, Microsoft said.

One of the most significant changes for enterprise users will be the elimination of the intranet zone. "We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE," wrote Gupta, Franco and Kudulur.

In Explorer 7, Windows machines that aren't on corporate networks will treat apparent intranet sites as Internet. "This change effectively removes the attack surface of the intranet zone for home PC users."

If the machine has joined a domain, the browser should automatically detect intranet sites and run them under the usual, more permissive rules, Microsoft said. If the auto-detect mechanism doesn't work for whatever reason, admins will be able to set group policy for the intranet to ensure things work properly.

Users will also be able to implement intranet settings for particular sites, Microsoft said. "IE will show an information bar when visiting a probable intranet site," wrote Gupta, Franco and Kudulur. "If a user wants to re-enable their intranet zone, they'll be able to."

Internet zone and trusted sites

The other changes will be to the Internet zone and the trusted sites zone, Microsoft said. Settings will be locked down for the Internet zone -- it will run in Protected Mode on Windows Vista, and the ActiveX Opt-In feature will apply. This feature will give attackers one more barrier to get through before they will be able to execute malicious ActiveX controls, one of the more common ways of attacking Windows systems, Microsoft said.

The locked-down settings used in the Internet zone will be given a new designation: "Medium-High".

Microsoft said it has decided the trusted sites zone is probably too permissive to be safe. "We find that many users don't understand how powerful a site becomes when they make it a Trusted Site. For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user's machine," wrote Gupta, Franco and Kundulur.

By default Explorer 7 will assign "trusted sites" a "Medium" security level, the level given to Internet-zone sites under Explorer 6, Microsoft said. Users will get the option of manually lowering the trusted-sites security settings back to the Explorer 6 level via Internet Options or through policy settings, Microsoft said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?