Security Zone Alternatives

[Cycloid Torus]

Secunia.com has posted some exploits on their website - and my current
configuation "failed" their test (Microsoft Internet Explorer Window
Injection Vulnerability and Microsoft Internet Explorer Two
Vulnerabilities). For the first, the advice given is good which I paraphrase
as - "Do not have any other browser windows open when you connect to and use
a secure site". The "solution" to the second is to keep Internet Zone set to
"High".

Several other security advisories (including the US governement) also
recommend setting Internet Zone to "High" - though this makes using most
commercial sites in which you can have a relatively good degree of
confidence impossible

I am wondering if the structure of the IE Security Zones could be better
employed. Please comment on the idea (friendly criticism invited - I already
know I'm ignorant).

Set Internet Zone to "High" - go to "Custom" - disable everything except
"Pop-up Blocker" (sadly, this means some programs which use ActiveX will
stop working - McAfee VirusScan v8 is one such - I failed to find a "fix"
for this and just "gave up" after weeks of trying)

Set Trusted Zone to "Medium" - enter secure (https sites into Site list
(so "who" are you going to trust??)

Set Intranet Zone to "Medium" - go to "Custom" and tweak anything that looks
too permissive (suggestions?) - select Sites and Advanced and enter only
those websites in which you have high confidence.

Thanks.
CT

 

[Carey Frisch [MVP]]

Consider installing a first-rate internet security program.

Norton Internet Security 2005
http://www.symantec.com/sabu/nis/nis_pe/

-- Includes Norton AntiVirus 2005
-- Includes Norton Personal Firewall
-- Includes prevention of annoying web pop-ups
-- Includes Parental Controls
-- All in one, easy-to-install package

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

----------------------------------------------------------------------------------

:

| Secunia.com has posted some exploits on their website - and my current
| configuation "failed" their test (Microsoft Internet Explorer Window
| Injection Vulnerability and Microsoft Internet Explorer Two
| Vulnerabilities). For the first, the advice given is good which I paraphrase
| as - "Do not have any other browser windows open when you connect to and use
| a secure site". The "solution" to the second is to keep Internet Zone set to
| "High".
|
| Several other security advisories (including the US governement) also
| recommend setting Internet Zone to "High" - though this makes using most
| commercial sites in which you can have a relatively good degree of
| confidence impossible
|
| I am wondering if the structure of the IE Security Zones could be better
| employed. Please comment on the idea (friendly criticism invited - I already
| know I'm ignorant).
|
| Set Internet Zone to "High" - go to "Custom" - disable everything except
| "Pop-up Blocker" (sadly, this means some programs which use ActiveX will
| stop working - McAfee VirusScan v8 is one such - I failed to find a "fix"
| for this and just "gave up" after weeks of trying)
|
| Set Trusted Zone to "Medium" - enter secure (https sites into Site list
| (so "who" are you going to trust??)
|
| Set Intranet Zone to "Medium" - go to "Custom" and tweak anything that looks
| too permissive (suggestions?) - select Sites and Advanced and enter only
| those websites in which you have high confidence.
|
| Thanks.
| CT

 

[Cycloid Torus]

Thanks for the suggestion - I bought and installed Norton AV 2004 when I
started using McAfee VirusScan v8 CD for a drink's coaster. I also run
ZoneAlarm, SpyBot Search & Destroy, Spyware Blaster and MailWasher Pro to
check emails before opening anything- all this thru a NAT router. The Norton
Security Scan (available gratis at the link you provided) says I'm fully
stealthed and up to date. Neither this nor Norton IS 2005, however, protects
against the IE6 vulnerabilities.

I am apparently wide open to the exploits identified by Secunia - and I was
hoping I could accomplish something with the security architecture. I just
do not feel that I understand the "Zone" approach well enough and
specifically, the selections via advanced button for the Intranet Zone.

Having a multiple level zone approach makes very good sense to me - as long
as I can keep from doing it wrong.
CT

 

[Cycloid Torus]

I've done some more digging and located a couple of KnowledgeBase articles
which seem to tie in with my question:

815141 is actually for Server 2003, but included following:
"Notes . Do not add Internet sites to the Local intranet zone, because your
credentials are passed automatically to the site if they are requested. "
what are credentials for a Limited User in HomeXP and why would I be
concerned about sharing them?

- what are credentials for a Limited User in HomeXP and why would I be
concerned about sharing them?

174360 which applies to IE6 provides additional information without the
"caution" and gives some discussion of the "Advanced" issues in the section
beginning:

"On the Security tab, click the zone to which you want to assign a Web site
in the Zone box, and then click Add Sites.

If you add a Web site to the Local Intranet zone, "


What are the problems / issues with putting a known but insecure internet
site (like msn or google) into the "Intranet" zone and restricting Trusted
with a lower security level to https: secure sites ?