25 Years of Programming
An open source source for C, C++, OWL, BASIC, MDB, XLS, DOT, and more...

Home Projects Sitemap Search Blog Forum+Chat About Us Privacy Terms of Use Feedback FAQ Images Services Payments Humor

Language translation
by Google is available
when JavaScript enabled.
Google Translate
is an alternative.

How to configure Internet Explorer 7 Security Zones for high security

This article describes how to achieve the highest possible security in Internet Explorer. There are basic instructions for beginning users, explanations and advanced settings for more experienced users, and reference tables for custom settings.

Basic and quick Security Zone settings

If you're new to this or in a hurry, you can quickly improve the security of each zone just by using the IE slider controls.

Open the Internet Options dialog box from either of these locations:

IE7 > Tools > Internet Options > Security
Start > Control Panel > Internet Options > Security

Click on each zone, and set its slider to the level shown:

Zone	Recommended setting
Restricted	High
Internet	High
Trusted Sites	Medium-high. If experience shows this is too restrictive for too many sites, you can reduce to Medium or tweak individual settings, but never put any setting below the level it has for Medium. For reference while doing this, there is a table showing all the individual settings for each security level.
Local Intranet	Medium-low

When done, click OK.

When visiting unfamiliar websites, these settings ensure that you have High security. When you are on a website that you trust and you need to allow features that the High setting doesn't permit (such as file downloads, JavaScript, or ActiveX), you can manually add that site to your Trusted Sites list, where security is lower and the needed features are allowed.

How to add a website to Trusted Sites

All sites start out in the Internet Zone. To add a site to Trusted Sites, go to:

IE7 > Tools > Internet Options > Security > Trusted sites (click the green checkmark image) > Sites (button)
Clear (uncheck) the "Require server verification for all sites in this zone" box.

This box appears to have been an afterthought, and when it is checked, it makes the Trusted Sites concept virtually useless. It only allows sites to be Trusted if they a) use secure "https" encryption on their web pages to prevent eavesdropping, and b) present an authorized certificate that guarantees their identity. The result is that only online banks and big commercial sites can ever qualify to be Trusted. https is too high a standard to expect all Trusted Sites to meet.

From the standpoint of personal information protection, https is important, and you should make sure it is used on any site where you enter credit card numbers or other critical personal information. It protects you from data interception and from fraudulent websites pretending to be other websites (phishing).

However, that has nothing to do with what the Security Zones were supposed to be for: keeping malware off your computer. From that standpoint, the more appropriate standard for trust is: "If I lower my security for this website, do I trust it not to install malware?"

If you're currently viewing the site you want to add, IE7 automatically puts the URL (web address) in the "Add this website to the zone:" box. (If the address isn't in the box, it means this site is already Trusted.)

If you're not viewing the site at the time you want to add it, manually type or copy-and-paste its URL into the "Add this website..." box. The URL looks like: http://www.websitename.com.

When the site's address is in the box, click Add, then Close, then OK.
(If you get an error message when trying to add the site, check to see if it is already in Trusted, or maybe in Restricted. A site can only be in one zone.)
At the bottom right of the IE7 screen, you'll see the zone has changed from Internet to Trusted Sites.
Refresh/Reload the page (F5) to turn on the newly-allowed features.

For those who want more detail

Why does a browser need security settings?

Web pages are plain text files which, by themselves, cannot harm your computer. So are emails. However, some of the text in them can be instructions to your browser or email viewer that tell it to do the following things:

Launch a programming language such as JavaScript or VBScript and submit some text to it so it executes (runs) as a computer program.
Fetch additional non-text content such as an image and place it on the page.
Fetch non-text content such as a movie, Flash, audio, PDF, or Word document, Excel spreadsheet, etc., and feed it to an application (a plug-in, browser helper object, program on your local computer, or the Java Runtime Environment) which will then display it on the web page, play it, or render it in whatever media format is appropriate for it.

Each of these types of objects does have the potential to harm your computer under some circumstances.

A JavaScript or VBScript program can be designed to do malicious things to your computer. Although its text can't harm your computer by itself, it CAN when it's fed into your browser's scripting engine and executed as a program.
Images are occasionally crafted to be malicious.
A Flash movie, or any of the other non-text files listed above, and others, can be designed to do malicious things to your computer. So although the plain text code containing the instructions to load them can't do any damage, the files themselves CAN, when they are loaded into the plug-in programs and displayed, played, or otherwise rendered.

The key to making your browsing safer is to restrict what types of these "secondary" objects are allowed to be fetched, restrict JavaScript and VBScript from executing, and restrict what types of applications (plug-ins, browser helper objects, or programs on the local computer) are permitted to be activated as the result of instructions on a web page or in an email.

You can be very secure if you ALWAYS disable ALL of these secondary objects and disallow ALL plug-ins, so that your browser only displays the text on the web page and absolutely nothing else, but you might find these restrictions unacceptably limiting, and some of your favorite web pages might not work properly.

How Internet Explorer Security Zones work

Shouldn't there be a way to differentiate between places whose content you believe is probably safe and other places where you suspect it might not be? That's what Internet Explorer's Security Zones are for.

Different sources deserve different levels of trust. A well known website you've visited many times without problems deserves more trust than a site you've never seen before and know nothing about.

By assigning sites to different zones, you can manage the amount of risk you face. When visiting new unfamiliar sites, your defenses are high, but if a trustworthy site requires additional features, you can put it in the Trusted Sites zone to enable them.

Here are the 4 Security Zones:

Local Intranet	Your local computer and the local area network it's connected to, if any. You and your family or coworkers probably have not created malicious files to damage your own computer system, so this zone has a low level of security. Web pages and files in this zone normally run with few restrictions or warning prompts.
Trusted Sites	Websites you're confident will not try to damage your computer with malicious files. A site only gets into the Trusted Sites zone if you put it there manually. You can base your decision on your experience or the website's reputation. The "trust" implied here only concerns whether you think a site might try to harm your computer. You might or might not like or trust a company in various different ways, for example, but any site can go in Trusted Sites as long as you're confident that its site isn't designed to be malicious and is competently enough maintained that it's not likely to get hacked and become malicious. The Trusted Sites zone has a medium level of security, higher than your local computer but low enough to allow various types of enhanced content to run or be displayed.
Restricted Sites	Websites you think WILL try to damage your computer with malicious files. Why this is a Zone, I don't know. Why would you go there? Putting a site in this zone (which you do manually) doesn't prevent you from going there. It would be more useful if it did, preventing you from accidentally returning to a site you discovered was bad. The Restricted Sites zone has a high level of security.
Internet	All other websites: ones you've never visited before and ones that fully function without your having to put them in Trusted Sites. By default, IE7 sets Internet Zone security lower than Restricted Zone. This makes no sense. You must go to an unfamiliar site, such as the hundreds of unfamiliar ones listed in search engine result pages, with your security set to the highest possible level. Otherwise, when do you move a site to the Restricted Zone? After you've gone there and it's already damaged your computer? No! Thus, the Internet Zone must be the one with the highest security level, and the Restricted Zone is basically useless.

Achieving Higher than High security

For advanced users who want maximum security or enjoy tweaking settings, High is not the highest you can go. You can achieve "higher than high" security in the Restricted and Internet zones. In the Restricted Zone, absolutely everything possible should be disabled "on general principles" (even though you'll probably never use the zone, anyway). In the Internet Zone, two settings can be slightly lower than maximum because they are not that important and can be quite inconvenient, but Internet Zone security must still be very high for the reason given above: it includes all sites you've never visited before, and any one of them could be malicious.

A large text table of all the recommended settings for all the security zones is farther down this page.

The thumbnail at left goes to a composite screenshot of the recommended security settings for the Internet Zone only, as they appear in the Internet Options dialog box. (143 KB. After it loads, click the image to enlarge it.)

More security: disable risky plug-ins

Disable plug-ins from this location:

IE7 > Tools > Manage Add-ons > Enable or Disable Add-ons > Add-ons that have been used by Internet Explorer

Locate and select the plug-in, and then click Disable.

Disable Shockwave Flash

New security vulnerabilities keep surfacing in the Adobe Flash Player. In addition, Flash provides scripting capabilities that allow a Flash file to be maliciously designed. A user has no ability to disable these scripts. The only solution is to disable Flash. It's all or nothing. Disable Flash by disabling these Add-ons:

Shockwave Flash Object
Shockwave ActiveX Control

Where Flash is required and you believe it's safe, re-enable the Flash Object. So far, I have never needed to enable the ActiveX.

You can set a few Flash security and privacy settings at the Adobe/Macromedia Flash Player Settings Manager. On that page, you specify the settings you want, and the web page configures those settings in the Flash Player installation on your computer. I was recently unable to make the Settings Manager work. The solution was to use Adobe's Flash uninstaller to completely uninstall the Flash Player, then use Control Panel > Add/Remove Programs to uninstall the Shockwave Player, and then reinstall only Flash from scratch.

Disable Adobe Reader plug-in

Adobe Reader is another plug-in that has had its security woes. I keep both of the following plug-ins disabled all the time. When opening a .pdf in IE7, I get a warning popup that says, "One or more Adobe PDF extensions are disabled. This may impact how PDF's are displayed in Internet Explorer." In spite of that warning, the files display perfectly normally:

Adobe PDF Reader
Adobe PDF Reader Link Helper

Disable other plug-ins: Java, QuickTime...

Browsing through the list, you might find other plug-ins that you seldom use. If you don't use them, you probably don't keep them up to date, and out of date versions are often a security hazard. It is easy to re-enable a plug-in when you find you need it:

Java (one or more items labeled "Java Plug-in")
QuickTime ("QuickTime Object")
Windows Messenger ("Windows Messenger")

Filter or block dangerous websites

Internet Explorer never actually blocks a web page from being fetched, even if you "block" it with Content Advisor. What it does is download the page to your Temporary Internet Files folder and then refuse to display it.

To really block pages from being downloaded, you can use an internet security suite such as the one from Trend Micro. When you block a site with its Web Site Access Controls filter, it prevents your browser from sending requests to disallowed sites.

Notes

1) IE7 does not warn about viruses

Off-topic update 7-27-2008

Some people have been ending up on this page while searching for information about IE7 blocking them from accessing every website they attempt to visit, and showing a popup box that says:

"Internet Explorer Warning - visiting this web site may harm your computer"

This is NOT a legitimate message from Internet Explorer. It is a malware popup. If you see this warning, something is trying to infect your computer or has already done it. If the popup tries to make you visit a website to purchase an "antivirus" scanner, do not go there. The scanner program is a fake that installs malware instead.

Try doing a web search on rogue antivirus. (That's what these things are being called.) That will give you useful information and maybe screenshots to help you identify which one you are being attacked by.

Internet Explorer by itself does not warn you about viruses or malware web pages, except for its Phishing Filter which only warns about phishing sites. Any virus warning that says it is from Internet Explorer is a fake.

These places do warn you about viruses:

Your antivirus program, but only if you ARE using an antivirus program!
Google and Yahoo show warning messages about harmful sites in their search results. The Google warning even says, "This site may harm your computer", but it is plain text on the page. It is NOT a popup in your browser.
Firefox 3 compares the sites you visit against the Google "Safe Browsing" database and blocks access to malicious pages, but it does NOT pop up messages trying to make you buy the phony XP Antivirus program.
The Internet Explorer 8 SmartScreen Filter does warn about phishing sites and other websites that Microsoft has determined are unsafe. The IE8 warning message is "This website has been reported as unsafe".

Comments and questions are welcome in the discussion forum.

Recommended Internet Explorer 7 settings for all Security Zones

When in doubt, if you don't understand what it is, disable it. You'll discover soon enough if you need it.

There is also a downloadable Microsoft Excel 2003 workbook containing the original source data for this table.

Dis = Disable. Pro = Prompt. En = Enable. Hi = High. Med = Medium. Lo = Low.

Security Setting	Our Recommended Custom Settings				Comments
.NET Framework	Restricted Zone	Internet Zone	Trusted Sites	Local Intranet
Loose XAML	Dis	Dis	Pro	En
XAML browser applications	Dis	Dis	Pro	En
XPS documents	Dis	Dis	Pro	En	XPS documents replace the MDI format that was used by Windows Document Imaging.
.NET Framework-Reliant Components	Restricted Zone	Internet Zone	Trusted Sites	Local Intranet
Permissions for components with manifests	Dis	Dis	Hi	Hi
Run components not signed with Authenticode	Dis	Dis	Pro	En
Run components signed with Authenticode	Dis	Dis	En	En
ActiveX Controls and Plug-Ins	Restricted Zone	Internet Zone	Trusted Sites	Local Intranet
Allow previously unused ActiveX controls to run without prompt	Dis	Dis	Dis	En
Allow Scriptlets	Dis	Dis	Dis	En
Automatic prompting for ActiveX controls	Dis	Dis	Dis	En	This means automatically prompt the remote server to begin the download, not automatically prompt you to OK the download.
Binary and script behaviors	Dis	Dis	En	En
Display video and animation on a webpage that does not use external media player	Dis	Dis	Dis	Dis
Download signed ActiveX controls	Dis	Dis	Pro	Pro
Download unsigned ActiveX controls	Dis	Dis	Dis	Dis
Initialize and script ActiveX controls not marked as safe for scripting	Dis	Dis	Dis	Dis
Run ActiveX controls and plug-Ins	Dis	Dis	En	En
Script ActiveX controls marked safe for scripting	Dis	Dis	En	En	Allows manipulation of the characteristics or operation of an ActiveX control using scripts. If ActiveX controls are enabled but this is disabled, it allows the control but disables the script.
Downloads	Restricted Zone	Internet Zone	Trusted Sites	Local Intranet
Automatic prompting for file downloads	Dis	Dis	Dis	En	Automatically prompt the remote computer to start the download (without asking your consent). If this is Disabled, you get the "Some files can harm your computer" warning and must manually OK the download.
File download	Dis	Dis	En	En	If Disabled, downloads are prohibited. If you launch a download, you are told it is not allowed, and cannot override it. Before the download, add the site to Trusted Sites, where you allow downloads.
Font download	Dis	Dis	En	En
Enable .NET Framework setup	Dis	Dis	En	En
Miscellaneous	Restricted Zone	Internet Zone	Trusted Sites	Local Intranet
Access data sources across domains	Dis	Dis	Dis	Pro
Allow META REFRESH	Dis	Dis	En	En	Enables the code in a web page to automatically redirect your browser to another web page instead of the one you thought you were going to.
Allow scripting of Internet Explorer web browser control	Dis	Dis	Dis	En
Allow script-initiated windows without size or position constraints	Dis	Dis	Dis	En
Allow Web pages to use restricted protocols for active content	Dis	Dis	Pro	Pro
Allow websites to open windows without address or status bars	Dis	Dis	Dis	En
Display mixed content	Dis	Pro	Pro	Pro	Some web pages contain a mixture of secure (encrypted https) and nonsecure (http) content. When entering sensitive data into a form (credit card info, etc.), you should not allow the unsecured content to be displayed. This ensures that the form will be fully encrypted when sent back to the website. In practice, however, many websites are careless about serving https pages that have on them images from one of their other (http) servers, which causes IE to give the mixed content warning. If you are not entering sensitive data, this is not a security concern.
Don't prompt for client certificate selection when no certificates or only one certificate exists	Dis	Dis	Dis	En
Drag and drop or copy and paste files	Dis	Dis	Pro	En
Include local directory path when uploading files to a server	Dis	Dis	En	En
Installation of desktop items	Dis	Dis	Pro	Pro
Launching applications and unsafe files	Dis	Dis	Pro	En
Launching programs and files in an IFRAME	Dis	Dis	Pro	Pro
Navigate sub-frames across different domains	Dis	Dis	Dis	En
Open files based on content, not file extension	Dis	Dis	En	En	This is MIME-sniffing. When enabled, a file that the server says is text, but that IE detects is actually a movie or other media type, may be "promoted" (in the Internet Explorer cache) to its actual (and potentially less safe) detected type so it can play. When this is disabled, a text file is treated as text regardless of the MIME type detected by IE, so potentially unsafe files don't get automatically promoted to a less safe type. If you try to download a media file and it displays as garbage text in your browser, this setting is the likely reason. It is especially common because the MIME types for Windows media files (.wma, .wmv) are not automatically known to Linux/Apache servers, and many webmasters don't know how to set up the correct MIME types.
Software channel permissions	Hi	Hi	Med	Med
Submit nonencrypted form data	Dis	En	En	En	When entering sensitive information, you should make sure that the form is encrypted: the page is https and you get no warning about "mixed content". However, most forms you fill out are not sensitive, and when this is set to Prompt, the constant warnings are a nuisance. This setting is in red to indicate that you must make a judgment call when filling out a form: is this information sensitive enough that I should not fill it out because it isn't encrypted? When it is not encrypted, anyone eavesdropping along the path it takes back to the server can intercept and read it.
Use Phishing Filter	En	En	En	Dis
Use Pop-up Blocker	En	En	En	Dis	"Using" it is different from turning it on. You can leave this En, but then turn it off via the Tools menu in the toolbar.
Userdata persistence	Dis	Dis	En	En
Web sites in less privileged web content zone can navigate into this zone	Dis	Dis	En	En
Scripting	Restricted Zone	Internet Zone	Trusted Sites	Local Intranet
Active scripting	Dis	Dis	En	En	This refers to JavaScript and VBScript. Many websites use these, but rarely for anything important. On the other hand, many viruses are written with JS and VBS, so scripting should always be disabled in the Internet Zone, for sites you have never visited before. About 96% of web surfers leave scripting enabled all the time, which puts them at unnecessary risk of infection. TURN SCRIPTING OFF! Most of the time you don't need it, and when you do need it, you can put the site in the Trusted Sites zone.
Allow Programmatic clipboard access	Dis	Dis	Pro	En	Do not allow websites to see what you have in your clipboard.
Allow status bar updates via script	Dis	Dis	Dis	En	Prevents websites from fooling you by modifying what it shown in the status bar at the bottom of the page. It is supposed to show the destination of links. Don't let websites change it to show you a destination that is different from the real one.
Allow websites to prompt for information using scripted windows	Dis	Dis	Dis	En
Scripting of Java applets	Dis	Dis	En	En	Sun Java is completely different from JavaScript (see Active scripting, above), but Java applets (applications written in Sun Java) should also be disabled at sites you've never visited before.
User Authentication - Logon	Prompt for user name and password	Prompt for user name and password	Automatic logon only in Intranet Zone	Automatic logon only in Intranet Zone
	Restricted Zone	Internet Zone	Trusted Sites	Local Intranet

The next page has a table showing how each of the five IE7 Security Levels (Low, Medium-low, Medium, Medium-high, High) sets every individual configuration option.