Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Prompting for ActiveX controls

Careful user — Wed, 07 Dec 2005 20:45:32 GMT

This sort of relates to IE Security....

Because ActiveX controls (and plug-ins) are useful for so many websites, but carry the potential for harm, my Internet Zone is set to prompt for ActiveX controls. I have long wished that the prompt message would give me more detail as to the type of control/plug-in/content being invoked. As it is, every control/plug-in, whether Acrobat Reader, Flash, or lethal-malware gives the same question: "Do you want to allow software such as ActiveX controls and plug-ins to run?" The choices are yes or no--sometimes my answer is "tell me more" but I have to make my best guess.

In addition, I would like to be able to specify individual plug-ins and ActiveX controls as always trust, never trust, or prompt. I may always trust Acrobat Reader, but never trust another control/plug-in.

Information is power; can I have a little power, please? Thanks

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Jerry — Wed, 07 Dec 2005 20:45:58 GMT

Thanks! We were wondering what the infobar was trying to tell us when we ran our asset management system (prior to domain join) on current builds. It wasn't intuitive what "enable intranet settings" meant.

confirm dialog blocked as a popup?

jim — Wed, 07 Dec 2005 20:48:41 GMT

I was just using the IE7 beta in standalone mode, and noticed that it blocks javascript confirm dialogs as popups. Is this part of the new "security" upgrades, or a bug in the popup blocker? Or a problem caused by running it in standalone mode?

Thanks!

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Josh — Wed, 07 Dec 2005 21:06:31 GMT

Great info, I wish the other teams at MS were so forth coming with information.

re: Dude, where's my intranet zone?

Wed, 07 Dec 2005 21:35:50 GMT

Why doesn't IE just scrap the zones entirely? Other browsers don't use them because they're confusing. If you allow one zone to be set at low security, then it's going to lead to cross-zone attacks like these:

http://secunia.com/advisories/12889/
http://secunia.com/advisories/11793/

I won't be upgrading to Vista or using IE7 anywhere unless they change this.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Universalis — Wed, 07 Dec 2005 23:43:46 GMT

Is there in IE7 a difference between how Authenticode-signed .EXEs and unsigned .EXEs are treated from the user's point of view? We tend to supply our software as a signed downloadable .EXE installer, but I can't see any difference in behaviour in IE5/IE6 between whether it's signed or not. Perhaps, though, this is a matter of the zone I've assigned to the download site.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Fiery Kitsune — Wed, 07 Dec 2005 23:50:31 GMT

Dump ActiveX... Eolas keeps telling you to.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Joel — Thu, 08 Dec 2005 00:46:38 GMT

All these different zones are nice but why not have an OS that use groups and permissions correctly...? No other browser worries about security zones... Why does IE have to...?

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

TheTOM.SK — Thu, 08 Dec 2005 01:20:09 GMT

I like the zones and if someone doesnot know, how to use them, then he doesnot need to use them at all. I have restricted zone at high as well as internet, but thanks to IE-SpyAD I know, that if the site is restricted. Since I do not use a realtime antispyware, IE-SpyAD helps me to identify the "bad" sites.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

John Bedworth [MSFT] — Thu, 08 Dec 2005 02:48:16 GMT

"Because ActiveX controls (and plug-ins) are useful for so many websites, but carry the potential for harm, my Internet Zone is set to prompt for ActiveX controls. I have long wished that the prompt message would give me more detail as to the type of control/plug-in/content being invoked.... can I have a little power, please?"

Well, it sounds like you are running IE the same way I used to, and frankly you are exactly the type of user we had in mind when we designed and implemented the "Manage Add-on's" feature in XPSP2 and IE7. This feature effectively lists every bit of binary extensibility ever loaded in the browser, complete with GUID, publisher (if known), binary name, etc., and allows the user complete control of which extensibility is enabled. Give it a go and let me know if it isn't what you were looking for; I know it makes a world of difference to me.

-- John

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

EricLaw [MSFT] — Thu, 08 Dec 2005 03:00:51 GMT

<<I won't be upgrading to Vista or using IE7 anywhere unless they change this.>>

If you really want a Zone-less IE, this is simple enough to get IE to behave as if Zones don't exist. Simple set your security settings for each zone to the same value, and zones are then irrelevant.

<<All these different zones are nice but why not have an OS that use groups and permissions correctly...?>>

I'm not sure I understand your question. What OS do you feel "uses groups and permissions correctly"? Zones essentially ~are~ a mechanism for creating security groups and assigning them permissions. Or are you suggesting that Windows' permission model should be extended to apply to websites?

(As for the suggestion that other browsers don't support Zones: As far as I know, Zones basically do exist in many browsers that support chrome extensibility. They are used to prevent remote sites from manipulating local browser chrome, an privilege which is restricted to content on the local machine.)

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

PatriotB — Thu, 08 Dec 2005 03:25:58 GMT

Couple questions...

1. Is it correct to assume that the lockdown of the intranet zone on non-domain computers applies to localhost as well?

2. Since you brought up the popup blocker... can we get a response to the issue of popups being allowed via "HTML Document" and "DHTML Edit Control Safe for Scripting" ActiveX controls? Is this a "by design", "will fix", "fixed in IE7" etc? I hope it's not by design; I'd rather not have to block the DHTML control altogether just to block popups. (I have already blocked HTML Document with no negative side-effects). Personally, I think these should be fixed for IE6 SP2 as well as IE7.

And a comment: I really like how the security settings are tied in to the Security Center on Vista 5231. Immediately upon changing a single setting to a less-secure setting, the Security Center chimed in saying the PC is at risk. This is a good thing and should help users keep the somewhat-complex IE security settings set to safe values. (Also, it would be great if 3rd-party apps could integrate into the security center this way. Of course that opens up the door to abuse, so maybe it's not such a good idea ;-))

IEAK

Øystein — Thu, 08 Dec 2005 18:15:40 GMT

Managing IE in a enterprise network is today hell - what about a new IEAK?

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

James — Thu, 08 Dec 2005 19:48:49 GMT

Hi, thanks for taking the time to publish your plans in an informative article. I had some questions.

I am wondering why domain administrators aren't expected to configure trusted sites themselves, via group policy. If they must do so for workgroup computers, and must manage the intranet servers themselves, it doesn't seem like a great stretch.

On the other hand, why was it important to remove detection of the intranet zone for home users, rather than increase the default settings to be identical to the internet zone and maybe show a scary confirmation message with three variously phrased cancel buttons, a checkbox and a small ok button on any attempt to change it?

On the subject of zones, I've always been confused by the use-case for the Restricted Sites zone. When is this used? Surely, users aren't expected to add sites to it before browsing to them. Is it mostly useless? Is it only for use by Outlook and similar hosts that explicitly request it? How does it differ from the new protected mode?

This might make me sound pretty stupid, but let me explain why I'm having difficulty understanding. IE7 seems to have the following zones:
* The local machine zone. Same as internet, following XPSP2 lockdown. Can't be configured anyway.
* The local intranet zone. In IE7, it might as well be the same as the internet zone.
* The internet zone. The default for anything that isn't in an equivalent zone.
In other words, this elaborate scheme seems entirely superfluous to the outsider, yet is a source of risk by your own assessment. Consequently, we're to be left with the coarse-grained whitelisting and blacklisting features that masquerade as the trusted sites and restricted sites zones.

I was also interested in clarification between IE's notion of zones and the shell's: when I browse to an SMB share on my network, the status bar dutifully reports that it's in the "Local Intranet" zone. Presumably this won't be affected?

Overall, I'm glad to see the change. I've never really trusted the Local Intranet zone because I don't understand what it does for laptops, the site options for the zone like "Include all UNC paths" are seemingly empty of meaning, and in general it doesn't make sense to make security decisions without being able to confirm a site's identity... and who runs SSL web servers at home?

(I'm using a different browser, of course. It has a very fine-grained CAPS feature, and doesn't attempt to guess what permissions I would grant the site. Oh, and fewer exploits are written for it, for whatever reason).

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Duncan Godwin — Fri, 09 Dec 2005 01:18:28 GMT

I can see the value of zones, but when working as a home user I don't think I have enough choice. I would rather not trust most sites by default, and if I want to use the functionality of that site fully I would move it into a My Sites zone for example. How this contrasts to what we have currently is I could have an arbitary set of zones with different permissions (with the most restrictive one as default). My 'my sites' user definable zone might allow Flash and JavaScript etc.

On another matter entirely I have been watching quite a few of the PDC videos and they all sit in the same directory. I get the are you sure you want to run script everytime I start one and can't add that directory to be trusted (I guess because it's from my computer).

My emphisis of this comment is I would like to lockdown as much as I can and open up when necessary, but opening up doesn't mean giving a full range of permissions because one site in that zone might require it.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

EricLaw [MSFT] — Fri, 09 Dec 2005 02:48:55 GMT

<<I browse to an SMB share on my network, the status bar dutifully reports that it's in the "Local Intranet" zone. Presumably this won't be affected? >>

Actually, the zones used by the shell match IE's zones, so this would show as Internet.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

James — Fri, 09 Dec 2005 07:22:26 GMT

Eric, Explorer's zone currently does match IE6's. If you read carefully, I didn't suggest otherwise. I assume that will continue, but will changing that zone from the local intranet zone to the internet zone have consequences?

Maybe that sounds like a foolish question to you. After all, I don't have any idea what it would mean to apply zone restrictions to a file share (I notice that file preview still works, along with various other shell extensions). On the other hand, to outsiders, the zone system was seemingly dreamt up and is preserved by crack addicts and its very principle seems contrary to secure design, so as a customer (of your operating system and some embedding applications), I need to understand how it will affect me and how to work around it as best as possible.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

vsync — Sat, 10 Dec 2005 03:15:48 GMT

Windows security will stop being a sad farce the day Windows stops looking at filenames to figure out what to do with the file. Particularly for executable formats.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

streaky — Sat, 10 Dec 2005 06:32:35 GMT

"Powerful add-ons like ActiveX controls are part of what make browsing such a rich experience but any extensibility can also introduce threats to browser security."

To think it only took 15 years to figure that out, now all you need to do is realize how big a threat they are and deal with them effectively, so IE 8 in 2030 will be great, really looking forward to that ;)

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

EricLaw [MSFT] — Sat, 10 Dec 2005 09:18:07 GMT

<< I don't have any idea what it would mean to apply zone restrictions to a file share >>

The only interesting side-effect I've seen is that you are now prompted before running unsigned executables from the SMB share.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

ray — Tue, 13 Dec 2005 02:41:16 GMT

How will your customers who don't run Windows AD and group policies be impacted? For example, there are large numbers of Windows clients on Novell Netware networks running in workgroup mode.

What will happen when IE7 suddenly kills their Intranet sites?

Not suggesting you change the planned behaviour, just trying to inject some reality - it's not an all-Microsoft world out there yet.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

ShadowChaser — Tue, 13 Dec 2005 05:31:32 GMT

The zone improvements seem good, but what happens the second I submit a web form?

In all other versions of IE, I get dropped into the "mystery" Custom zone, causing other security apps (like MBSA) to report me as being unsecure.

This comment is really ugly:
"Windows machine that is not on a managed corporate network will treat apparent Intranet sites as Internet."
"Of course, in enterprise IT networks, sites in the intranet zone have to just work exactly like they do today. IE7 will check if the machine has joined a domain. If a machine has joined a domain, as you would expect, IE7 will automatically detect intranet sites and run them with settings for the Intranet zone."

Yes, that's exactially what I would expect - Microsoft abusing their desktop monopoly yet again.

At every excuse you can get you lock people into your server product. People running J2EE? Apache? Oh they must be insecure, given that they are competing products. Not a domain member? Oh that means they aren't generating extra revenue for Microsoft, lets treat them like second class citizens.

I fail to see how this is any more secure than the old model. Traffic in the private network IP blocks are not routable over the public Internet. A rogue web server running on a domain member is no more secure than a legitimate web server running on a non-Windows or non-domain member.

I'm generally a big supporter of Microsoft in my office, but this is completely inexcusable. Internet Explorer holds a virtual stranglehold over the Intranet/Corporate market - Firefox and other alternative browsers haven't been able to touch it.

I imagine once you have finished pissing off every single company running a mixed-environment, they'll re-evaluate their IE investment.

Safety for kids.

texastig — Tue, 13 Dec 2005 23:37:40 GMT

Will the new IE7 be able to block all websites and only allow ones I want?
I just want to protect my kids.
thanks

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

PatriotB — Wed, 14 Dec 2005 06:14:13 GMT

"How will your customers who don't run Windows AD and group policies be impacted? For example, there are large numbers of Windows clients on Novell Netware networks running in workgroup mode.

What will happen when IE7 suddenly kills their Intranet sites?"

"Suddenly kills" is a bit of an exaggeration. Hopefully these companies tested IE7 on their web apps to see what happens, and came up with a strategy to handle it, prior to deploying it. (That takes the "suddenly" out of the sentence.)

The strategy is making changes to "settings for the Intranet to make sure that IE behaves as they wish" as mentioned in the article. If the company isn't/can't use group policy, hopefully they have some other management software that can deploy registry settings to all the computers in their network.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

EricLaw [MSFT] — Wed, 14 Dec 2005 08:48:46 GMT

texastig: If you have Windows Vista, you can make use of Windows Parental Controls (mentioned here: http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx). On XP, you can use the existing Content Ratings feature carried over from XP.

PatriotB: Yup, in most Novell deployments I've seen, login scripts are used to manage registry keys controlling enterprise-wide policies.

ShadowChaser: IE7 will resolve the issue that submitting a webform changes you to the "Custom" security template for a given zone. We're also introducing a new feature which will explicitly note when you have insecure settings in INETCPL.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

UN — Wed, 14 Dec 2005 09:21:23 GMT

I don't know what to say, except... I'm not getting a warm fuzzy. But then I've never really understood what you guys were thinking when you came up with the existing security zone architecture. Why a fixed number of zones, special cases, hidden zones, expecting users to duplicate settings in multiple zones, etc?

Say a user wanted to run with the same privledges across the board. Shouldn't they be able to configure one and only one zone, named whatever they want... "Default Zone" lets say... and maintain their settings in just one place?

A sound approach is to make default permissions appropriately restrictive, and then grant them on an as-needed basis. That approach requires support for creating any number of custom access levels, or zones in this case. How can users do that?

There shouldn't be hidden zones which are tweaked via obscure registry keys. Having a local, my computer zone makes sense, but it should be visible and have an interface. Having the default settings for that zone be tight makes sense, but it also makes sense for there to at least be a way to relax restrictions on pages in certain directories. Can that be done?

All these mechanisms to protect one's computer and self... shouldn't the user have the ability to configure a Prohibited Sites zone?

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

ray — Wed, 14 Dec 2005 21:50:54 GMT

PatriotB: OK, "suddenly kills" was a bit harsh :)

There are lots of tools to emulate "group policies" on non-AD networks, including reg files, tools such as Novell Zenworks, etc.

The point, however was that IE7 will behave differently on a Microsoft Windows domain than it will on a non-Microsoft server infrastructure. This imposes an extra burden on companies (Microsoft client OS customers) using a competitor's back-end products, rather than Windows Server and AD.

IE7 will naturally and fairly quickly become a "required" update for security and standards reasons. This is good.

However, certain changes in behaviour could delay organizations from upgrading. This is bad.

If there are specific reasons or bugs for not using the current intranet detection logic to provide a consistent experience going from IE6 to IE7, then it should still be possible to rectify this without changing the end-user experience.

The case for changing the Windows XP Home behaviour is definitely much more pronounced than the behaviour of XP Pro in a non-AD environment.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Will — Fri, 16 Dec 2005 10:55:01 GMT

<<If there are specific reasons or bugs for not using the current intranet detection logic to provide a consistent experience going from IE6 to IE7, then it should still be possible to rectify this without changing the end-user experience.>>

I think you might be confused. IE6 doesn't "detect" the Intranet zone; it's on whether you need it or not.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Will — Fri, 16 Dec 2005 10:55:01 GMT

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Fred Vorck — Sat, 17 Dec 2005 16:38:24 GMT

Me:
Excellent! You picked a new icon!
Can you fix alpha channel display transparency errors in IE 6's PNG display now?

Chris:
Fred Vorck, please stick to the subject. They told us months ago that the PNG bug will be fixed.
Here's the link: http://blogs.msdn.com/ie/archive/2005/07/29/445242.aspx

----

Chris, if you don't bug the IE team about things constantly in all sorts of contexts, it won't get done.
Also, no one ever told us that PNG transparency would be fixed in IE 6. Six. The number before seven and after five, etc etc. It is not unreasonable to ask that some features from IE7 make it into 6.
It's all about sorting what users value and what they don't (FIX SIX FIX SIX FIX SIX). They're obviously not listening, Chris.

re: Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Zach — Fri, 30 Dec 2005 17:56:40 GMT

Ok - Why would they go back - and remake six, to support png transparency (which barely existend when the core of the current IE was made) - when they have a product it works in? Not to mention, a product that more or less give a away for free? People want to complain about prices, then they want to complain that Microsoft doesnt do everything in the world - for free I guess.
----

Anyway - really wanted to echo the comments a few up - what we honestly need is everything set to restricted by default, and an easy to get to button on the toolbar to toggle it to trusted. I know many may disagree - but I see no use for more than two zones - (if you allow user initiated downloads from the default restricted that is) - either you trust the site, or you dont know if you trust the site - so you shouldnt take em out of restricted.

I honestly think a system like that would basically kill off the BS. At the same time, that would allow developers to fully use the the toys that IE has that really sets it apart from any other browser. Its those things that we can not use on the web that really keeps me liking IE, with the hopes that someday - maybe, I can have them back :)

I do not even think the most easily confused user would have difficulty with such a system - any "bad" site they would be limited to html only to try to trick someone - and thats gonna be difficult, and to really ensure no problems - you could easily addin to the current anti spoofing system a simple counter - how many people have this site trusted, how many people do not - which would make it really simple for someone that doesnt have a clue - if 4,353 say bad - and 1 says good - pretty obvious. That would also be in keeping with the general idea of people helping people - one simple action, done thousands of people, provides an instant answer of if this is a site to be trusted or not.

We in so many ways are going sideways, if not backwards, on the web - while trying to pretend to be going forward. Everyday - more and more of what we can do as developers, and in turn as users, has to be restricted. I can see the day coming down the road where we are back to Text only webpages being the only safe way to go - any form of binary file will always have the potential to do something other than intended. The net really needs to start mirroring the real world and browsers need to stop trying to be a babysitter. - they do need to do what we expect though -

In the real world - you go down to some sleazy bar, and start flashing a handful of hundreds around - and bad things happen to you - pretty much everyone you tell about it is going to ask, "What did you expect?" Most people know better than to try to walk across the Autobahn, most people know it would be dumb to go stand in front of the local cop shop and moon every cop that walks out - the net has to get to the point where we treat it the same - where you, the user, has to just not do the dumb thing - if you do, well - nobody is going to feel to sorry for the idiot that was mooning the cops, and they make think its tragic that you decided to walk across the bahn, but everyone is going to consider it your fault you just got hit by that Porche going 190.

Really - I am just getting tired of the fact that we are allowing a handful of people in the world, control what we can and can not do.

Vexentricity » Blog Archive » IE7 Bug Day - Run once

Vexentricity » Blog Archive » IE7 Bug Day - Run once — Thu, 16 Nov 2006 20:13:24 GMT

PingBack from http://www.vexentricity.com/?p=60

Windosw Vista Download » Blog Archive » New security zone controls in IE7

Windosw Vista Download » Blog Archive » New security zone controls in IE7 — Wed, 09 Jan 2008 16:27:41 GMT

PingBack from http://www.vistadownload.org/ie7/new-security-zone-controls-in-ie7.html

» IE8 Security Part V: Comprehensive Protection

» IE8 Security Part V: Comprehensive Protection — Wed, 02 Jul 2008 23:04:05 GMT

PingBack from http://internetexplorerblog.info/?p=145

cannot open email using internet explorer windows xp

cannot open email using internet explorer windows xp — Sat, 12 Jul 2008 06:38:42 GMT

PingBack from http://shayna.yourvidsdigest.info/cannotopenemailusinginternetexplorerwindowsxp.html

Internet Explorer 8 보안 5부 : 통합 보호

IE8 팀 블로그 — Tue, 17 Mar 2009 12:01:48 GMT

안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을 포스팅했었죠. 오늘

IEBlog Dude where s my intranet zone and more about the | Paid Surveys

IEBlog Dude where s my intranet zone and more about the | Paid Surveys — Sat, 30 May 2009 01:46:58 GMT

PingBack from http://paidsurveyshub.info/story.php?title=ieblog-dude-where-s-my-intranet-zone-and-more-about-the

IEBlog Dude where s my intranet zone and more about the | Wood TV Stand

IEBlog Dude where s my intranet zone and more about the | Wood TV Stand — Mon, 01 Jun 2009 01:02:22 GMT

PingBack from http://woodtvstand.info/story.php?id=6619

IEBlog Dude where s my intranet zone and more about the | Quick Diets

IEBlog Dude where s my intranet zone and more about the | Quick Diets — Tue, 09 Jun 2009 14:35:12 GMT

PingBack from http://quickdietsite.info/story.php?id=12371

IEBlog Dude where s my intranet zone and more about the | low cost car insurance

IEBlog Dude where s my intranet zone and more about the | low cost car insurance — Wed, 17 Jun 2009 07:15:48 GMT

PingBack from http://lowcostcarinsurances.info/story.php?id=6883