Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

Internet Explorer enforces security rules for websites by grouping them into categories or “security zones”. Today we want to explain the changes to security zones you’ll see in IE7 so we should first clarify what the security rules are in IE6.

On the Security tab of Internet Options under the tools menu, you will see the Internet, Intranet, Trusted Sites and Restricted Sites zones. The rules for security zones control how each group of websites is allowed to interact with your computer. If you put a site in the Restricted sites zone, IE will prevent the site from using features like script and ActiveX controls. The Internet Zone contains sites where most people browse and is intended to safely handle script and ActiveX controls tokeep you, the user, in control of what websites can do; for example if a site is in the internet zone, IE will block pop-ups windows from that site. The Intranet zone is really designed for sites built by a network administrator. Network administrators, particularly in corporations, commonly need some freedom to interact with your computer. For example, if you have an intranet, you may notice that IE still allows pop-ups windows. Because a site that’s truly on your intranet is likely to be an important application, the pop-up windows are likely from your network admin rather than an advertisement pop-up that’s common on the Internet. If you add a site to “Trusted Sites” in IE6, you are removing most restrictions from the site, you are granting the site enough control to automatically install software on your computer and use script to communicate with other sites on your behalf. Another zone that you can’t see is called the My Computer Zone and also has few restrictions similar to the Trusted Sites zone. The My Computer Zone is locked down as of IE6 for XP SP2; the changes in IE7 continue our trend to run the browser with more secure default settings.

Because security zones allows more power to some websites, zones also open the possibility of zone-spoofing attacks: if there is a flaw in IE’s zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn’t happen. 

Despite the URL parsing improvements; our threat-models will continue to drive us to add defense-in-depth against Zone-spoofing threats. We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE. One of our interns this summer, Robert Liao, changed IE’s logic so that a Windows machine that is not on a managed corporate network will treat apparent Intranet sites as Internet. This change effectively removes the attack surface of the intranet zone for home PC users.

Of course, in enterprise IT networks, sites in the intranet zone have to just work exactly like they do today. IE7 will check if the machine has joined a domain. If a machine has joined a domain, as you would expect, IE7 will automatically detect intranet sites and run them with settings for the Intranet zone.

There will be cases where IE might not detect an enterprise IT network correctly. For example, a PC might be on a workgroup rather than a domain or it may not have joined the domain. For those cases, network admins will be able to set group policy on the settings for the Intranet to make sure that IE behaves as they wish. Even if the network admin can’t set policy, IE will show an information bar when visiting a probable intranet site. If a user wants to re-enable their intranetzone, they’ll be able to.

We are also increasing security for the Internet Zone and the Trusted sites zone. The Internet zone, where most users browse, will be tightened down with two very notable changes. The Internet zone will run in Protected Mode on Windows Vista which helps provide defense-in-depth against some of the attacks IE has faced in the past. ActiveX Opt-In will also help reduce the attack surface of ActiveX controls in the internet zone (this feature deserves its own post). IE7 introduces a new security level for these additional protections, Medium-high.

With the Trusted Sites zone in IE6, we find that many users don’t understand how powerful a site becomes when they make it a Trusted Site. For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user’s machine. As a safety precaution in IE7, we have set the default for the Trusted Sites zone to Medium, the same level as the Internet zone in IE6. Customers who depend on the IE6 level of the Trusted Sites zone will be able lower settings back to IE6 levels with the slider on the “Security” tab of “Internet Options” or through policy settings.

 - Vishu Gupta, Rob Franco and Venkat Kudulur