The company has now detailed several changed in the way IE 7 will classify Web sites for security, hoping that the ultimate effect will be to reduce the likelihood that users will fall victim to malicious code. Currently, IE has four classifications for Web sites: Internet, local intranet, trusted, and restricted. The browser then uses these classifications to determine if certain functions will be allowed to execute – for example if Active X controls can run or not. For IE 7, Microsoft is working on preventing the browser from running malicious code in less restrictive security zones.
The local intranet zone is not really relevant for home users, the engineers said. Instead, a change has been made to IE 7 so that, when a PC is not on a managed corporate network, IE will treat apparent intranet sites as if they were on the Internet.
"This change effectively removes the attack surface of the intranet zone for home PC users." they wrote. They credit the change to an idea from a summer intern working at the company.
However, if a machine is running on a domain, IE 7 will automatically detect the intranet sites and revert to the intranet zone settings. Network administrators will be able to set group policies to ensure the browser runs as desired, the engineers wrote.
In the future, the Internet zone will run in what the company calls protected mode. This should help prevent the kinds of attacks that IE has been vulnerable to in the past. Another new feature, dubbed ActiveX Opt-In, will reduce potential damage from malicious Active X controls in the Internet zone.