Security Zones

http://www.homecomputingsecurity.com

 
What

 

 Utilize Security Zones in your MSIE Browser

 
Why

 

 You need to restrict "bad" web sites from performing “drive-by-installations.”

 
How

 

 MS Internet Explorer Security TAB has a feature for designating web site addresses as safe or unsafe with differing levels of activity they may engage in. Internet Explorer 7 makes the Trusted Zone equate to the Internet Zone by default, so the following content pertains to Internet Explorer version 6. It is recommended you upgrade to version 7 for greater security.

 
Detailed Information

2004 was the year of the Spyware threat - an emerging breed of malicious software that can range from unwanted pop-up ads to unseen programs that record keystrokes or take over a person's PC. Spyware and other unwanted software could slow PC performance, change a computer's configuration, and steal passwords and personal information. A November 2004 IDC study estimated that 67 percent of consumer PCs are infected with some form of spyware. These programs can get installed behind the scenes if your browser security settings are not properly set and monitored.

One of the greatest security protections on a Windows operating system comes within the MS Internet Explorer Security TAB and the ability to designate web site addresses as safe or unsafe with differing levels of activity they may engage in. An alternative method to protect you on the Internet is to maintain your local Hosts file and block specific site addresses. Not an easy task to maintain.

You need to pay attention to SECURITY ZONES and configure and monitor it periodically to prevent unauthorized Internet activities like spyware or Trojan installations so you may safely engage in “banking, buying or bidding” on the Internet. The programs later described help you manage the security levels and can supply lists of bad sites to add to the Security Zone.

 

To use the Internet safely – it cannot be overstated that you need to understand the use of Security Zones within Internet Explorer browser and audit the zone regularly for optimum protection.

 

The assumption for the discussion to follow is that you are using Microsoft Internet Explorer browser that is version 5 or 6 like the vast majority of Internet users today.

 

Open MSIE and go to Tools / Internet Options / and you will see these tabs shown to the right. Select SECURITY and you will see Four SECURITY ZONES:

 

TRUSTED SITES ZONE is for specific web site addresses that are well known and safe.

 

RESTRICTED SITES ZONE is for unknown or questionable zones you are not confident are safe to visit.

 

If a site is well known to be a mischievous site, it can be blocked by adding it to the local Hosts file.

 

Most of the millions of web sites will usually fall within the  INTERNET ZONE of moderate ability to perform actions.

 

The LOCAL INTRANET ZONE can apply if you are on a network, such as a corporate office.

 

 

Let’s first examine your TRUSTED SITES configuration. These are the good Internet sites for which you want to have all the browser functions be enabled such as ActiveX, Java and JavaScript. These functions make you vulnerable to “drive by downloads” so you only want sites you know and trust to be listed within the TRUSTED SITES zone.

 

1. To verify the Internet web sites you want to TRUST are all that are listed - select the SITES button, (circled in red.)

 

2. Verify that the TRUSTED SITES have the proper level of access set by selecting the CUSTOM LEVEL button, (also circled in red.)

 

 

 

 

 

When you select Custom Level Button with TRUSTED SITES ZONE highlighted, you now see the specific settings for this zone, shown to the left. These settings allow or don’t allow these actions to happen when you are browsing a web site in this zone.

 

You may adjust individual settings - or just select the LOW risk setting and hit RESET and OK to accomplish this. Much more convenient.

 

Trusted Sites are usually set to LOW risk.

Most actions are enabled by default.

 

 

Restricted Sites are usually set to HIGH risk. Most actions are disabled by default, shown to the right.

 

Internet web sites that are known to be “trouble makers” or dangerous may be specifically added to the RESTRICTED SITES ZONE. All functions beyond simple browsing are disabled for your greatest safety. You may select the HIGH setting and hit Reset to make sure all the disabled checks in place. I get paranoid that something could alter my settings. So hitting RESET periodically to make sure all are still set to HIGH is reassuring.

 

 

 

To see which domain names and sites are specifically added to each ZONE, just highlight the zone and select the SITES button. You will see the site addresses listed and you may add or remove the individual addresses as needed.

 

The images in the right show sample Trusted and Restricted sites or domain name addresses.

 

I add sites as needed to the Trusted Sites zone because I know I will be using functions that are needed for purchasing or banking when I browse these sites.

 

To make it easier to manage adding sites to the TRUSTED SITES ZONES, see the details to follow, about the Microsoft's Power Tweaks WebZone Accessory. This is a great browser toolbar that automatically is installed if you install the ENOUGH IS ENOUGH program (detailed below) – which takes the approach that all sites are NOT trusted by default - until you add them to the Trusted Sites zone using this toolbar (or manually entered into the Trusted Sites zone in the Security Tab as previously discussed.)

 

Sometimes, a new web site I visit just won’t function. If I decide the site is safe

 

 

and just add it to the TRUSTED SITES ZONE and refresh the page and it usually starts to work properly.

 

To add a “block list” of sites known to be bad to my Restricted Zone, the IE-

SPYAD2 program helps here, detailed below. It populates these sites for me. I can grab the latest version of IS-SPYAD2 from the author’s web site monthly to keep my block list up to date, if desired.

 

 

 

 

 

     

So now that you understand the advantages of using Security Zones, here are 3 free utilities you may install to automatically configure your ZONE SETTINGS within Internet Explorer browser to help you prevent dangerous web site activities. Researchers have identified harmful web sites that try to install hazardous ActiveX scripts to push Spyware on your computer, often without your knowledge. To implement these block lists - as a preventative measure, the following free programs make it easy!

I recommend you implement at least SPYWAREBLASTER below. For more extreme security precautions, implement IE-SPYAD or IE-SPYAD2 and the ultimate protection by implementing ENOUGH IS ENOUGH, also below.

 

 

 

 

 

 

SpywareBlaster - a FREE utility that cuts many Spyware delivery mechanisms off at the knees! It prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, tracking cookies and other potentially unwanted software installed when visiting some web sites. It restricts the actions of potentially bad sites in Internet Explorer (IE) by populating a list of identified bad sites in your browser Restricted Zone so they cannot install Active-X script changes. It adds a list of known, ad-tracking cookie sites to restrict them in both IE and Mozilla Firefox browsers. It checks your IE settings and alerts you when major security settings are not at the recommended safe level, and will make the changes for you. It protects your IE home page from being changed. You can save an encrypted copy of your Hosts File and your browser settings for restore if they become altered or corrupted.  

Download:http://www.javacoolsoftware.com/spywareblaster.html

You install SpywareBlaster using your Admin account and update it’s definitions monthly. Then you just run SpywareBlaster from each additional limited user account to tweak the browser settings for those user accounts for the latest protection. It does not stay loaded in memory and thus does not affect CPU utilization. It can be updated manually with latest bad site list or you may pay $9.95 for a yearly subscription for automated, daily updating. It runs perfectly on Windows 95/98/2000/ME/NT/XP and protects the IE (includes AOL) and Firefox browsers. SpywareBlaster is freeware for personal and educational use. Note, some other anti-spyware programs may detect the Restricted Sites entries (a false-positive detection) and remove them. SpywareBlaster can easily add them back by your update.

  • SpywareBlaster does not need to be running to provide protection.

  • After you enable protection for any/all items, you can exit the program and you will still be protected (SpywareBlaster does not need to be running in the background).

  • You do not have to start up SpywareBlaster each time you start your computer either - your protection remains in place until you disable it whether SpywareBlaster is running or not.

  • But don't forget to run SpywareBlaster at least once a week to download the latest updates and enable protection for them! 

For an additional step up in browser protection, install:

 

 

 

 

 

 IE-SPYAD (or IE-SPYAD2)IE-Spyad2 – a FREE utility that adds even more sites associated with known advertisers, marketers, and crapware pushers to the Restricted Sites zone of Internet Explorer. (SpywareBlaster adds almost 6000 sites; IE-Spyad2 adds about 20,000, with some overlap. About 900 of these are adult sites.) Once you install this program using your admin account, this protection is made to all user accounts on your PC – even limited user accounts - via a Global registry setting. These web sites now will not be able to use cookies, ActiveX  controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC.  

 
  • IE-SPYAD2.EXE - protects all user accounts on a multi-account PC simultaneously. Great for a home computer used by multiple family members with multiple account logins. (IE-SPYAD installs to the Registry location for the current user of the PC; IE-SPYAD2 installs to the global machine location, thus affecting all users and accounts on the PC.)

The third, more extreme option that reduces convenience but makes great security and is only for the initiated is:

Enough is Enough!  - another utility by Eric Howes that enforces your very own "opt-in" policy: all web sites are restricted by default so that no web sites get to use permanent cookies, ActiveX, Java, JavaScript and other potentially dangerous Internet Explorer options until you explicitly give them the go-ahead by putting those sites into your Trusted Sites zone. Adding them to your Trusted Sites zone is easy once you get the hang of it, but it does take a little effort each time you use the Internet and go to new sites. So for a family of computer users with some less-technical ones on the Internet, this could be too inconvenient. 

Why? The severely restrictive IE settings used by Enough Is Enough will “break” many web sites until you add them one by one to your Trusted sites zone. These settings will also disable third-party browser add-ons (commonly known as "plugins"). But you may install Enough is Enough and try it out – and it has an UNINSTALL routine to put your settings back should you not like the “opt-in” approach to surfing the internet.

When you install Enough is Enough you also receive Microsoft's Power Tweaks WebZone Accessory so that you can quickly and conveniently add sites you visit frequently (and which require permanent cookies or certain types of active content) to the Trusted sites zones. Once you add a site that you trust to the Trusted sites zone, it should start working again.

ENOUGH.EXE – Free download - use this along with IE-SPYAD/2. You need admin rights to install.

In the above image - note the GREEN CHECKMARK that you may click when visiting a web site that you want to add to your TRUSTED SITES zone. After a site or domain is added, it will be indicated that it is in the TRUSTED SITES zone by the indicator at the bottom right. Both are CIRCLED in RED.

Once a site is in your Trusted Sites zone, refresh the page and the active content should now start working. Periodically, you should revisit your Trusted Sites zone list to see all the sites that have been added and remove ones you are unsure about as family members can make mistakes and grant more rights to sites that are questionable: Tools / Internet Options / Security Tab / Highlight TRUSTED SITES and select SITES and you will see the addresses of all the Internet sites added.

 

Tools To Help You Manage your ZONES:

ZonedOut v3.1 is a complete Internet Explorer Security Zone Manager. It will help you to Add, Delete, Import, Export, items to your ZONES and build a WhiteList, etc.

Download ZonedOut for free at: http://www.funkytoad.com/zonedout.htm

 

 

Additional notes about ZONES:

  • The IE 6 browser has the ability to add IP addresses to the Restricted Zone. You’ll find many times these spyware parasites use an IP address rather than a URL. They do this to avoid being blocked by an entry in a Hosts file. However you can still add a layer of protection to your system by adding those IP addresses to the Restricted Zone.
  • To find web site addresses that slip past your shields, clear your browser cache, then browse for a while. Then close any open browser windows, go to Internet Options | General [tab] | Settings [button] | View Files [button]. Next: click the "Internet Address" header to sort the files by URL. Scroll the list, if you find a undesired address, either a URL or IP address - right-click the culprit in the "Name" header, and select: Properties. From there you can copy the entry. Once you have determined that this is an undesired site add the entry to the "Restricted Zone". In the event you are not sure, you can usually determine the "owner" from Sam Spade or DNSstuff.
  • Identify the owner of a web address: http://www.samspade.org/t/ and also at http://www.dnsstuff.com/pages/expert.htm
  • There are now a whole host of Trojans that will write multiple sites to the Trusted Zone of your browser. The majority of these culprits are now blocked entries in a free security-designed HOSTS file

ActiveX controls execute cool interactive elements on Web pages, but they provide access to the local Windows OS—highly risky. In Internet Explorer, click on Tools | Internet Options and go to the Security tab. The Custom Settings button takes you to Security Settings, where you can Choose:

- Prompt for Download signed ActiveX controls

- Disable for Download unsigned ActiveX controls.

  • If you are using Windows XP and while browsing the internet there is an attempt to pop up an ad from a site you have added to your RESTRICTED ZONE in your Internet Explorer browser - you also will see a popup window alerting you to this attempt, in this example from any site within doubleclick.net:

 

Simply click No and continue. Yes the prompts can be annoying but at least you'll know the attempt is being made and you proceed with the block or approve for it to pop up. (Sometimes, some web sites use a new window pop up to show you some content that you do want to see and this offers you the chance to avoid blocking it and see the pop up.)

 
Resources

 

 

 

 

 

 

 

 

 

 ACTIVEX

Hosts file

Here some final Secure Zone tips from Microsoft:

How to Use Security Zones in Internet Explorer

How to Use Wild Cards When You Add Web Sites to Security Zones

Restricted Web Site Uses Internet or Local Intranet Zone Security Settings

Problems Adding Top-Level Domains to Zone Sites List

Description of Internet Explorer Security Zones Registry Entries

A New Window Appears When You Visit Some Web Sites

Prevent Pop-up Ad Windows When Browsing with Internet Explorer

How to strengthen the security settings for the Local Machine zone in IE

Contact me at NofinerWeb.com