Load Internet
Explorer, click on Tools, then Internet
Options. Now select the Security tab. Note – This
should be done regardless of whether or not Internet
Explorer is your browser of choice, although changing
browser would of course help out also.
The main zone to be
concerned with here is the Internet zone (As it’s
what you’re in for the vast majority of the time you’re
connected, though you can well adjust the other available
zones too if you wish), so select it. Rather than using a
pre-defined setup using the slider instead select the
Custom Level button.
Options to consider
adjusting here are (Note – Some of the options beneath
aren’t available unless that Microsoft Java VM and/or .NET
Framework are installed):
Run components not
signed with Authenticode.
Microsoft Authenticode is designed to identify the
publisher of code and to assure end users that software has
not been tampered with before or during the download process
(For further information check
MSDN). This
should provide you some ease of mind when downloading code
from the internet as it provides a way to validate it for
you, which is more important if it’s from a lesser known
source. The following images illustrate Unsigned versus
Signed content being downloaded by Internet Explorer.
Clearly the latter
seems trustworthy, with both the Publisher of the code being
stated and verified by VeriSign. The former features no such
verification. That said, being ‘Unsigned’ doesn’t
necessarily make the content untrustworthy (The first image
shown was for
SmartFTP, the
FTP browser I use) and as such you’d be best off setting
this to Prompt.
Run components
signed with Authenticode. As
per the description given previously, Signed content is an
indication that the code downloaded can trusted not to
maliciously harm your system and as such you should be
content enough setting this to Enable.
Download signed
ActiveX controls. Being signed
by a certifying authority is an indication that an ActiveX
control should be safe and as such you should be
comfortable setting this to Prompt unless you have no
desire for any ActiveX controls on your system in which case
select Disable (Though a good many websites may need
to install such controls to function, e.g. Windows Update).
Download unsigned
ActiveX controls. Unsigned
ActiveX controls can be much more of a potential security
risk than signed ones and as such should certainly not be
set to Enable, rather leave this set to Disable
or Prompt for improved security, only allowing
controls to be downloaded on site you know can be trusted.
Initialize and
script ActiveX controls not marked as safe.
Similar to the previous option, if you’ve set the above to
Disable set this to Disable also, otherwise
set this to Prompt or Enable (Not recommended)
instead to allow such unsigned controls to be run at your
own discretion.
Run ActiveX
controls and plug-ins.
Assuming you don’t accept every ActiveX control/plug-in you
come across you should be relatively safe setting this to
Prompt or Administrator approved. I wouldn’t
recommend selecting Enable though unless you have
only Download signed ActiveX controls set to
Enable or Download unsigned ActiveX controls to
Disable. If you’ve not accepted any ActiveX control
downloads you can set this to Disable.
Script ActiveX
controls marked safe for scripting.
Similar to the previous option if you have that set to
Enable/Administrator approved or Prompt
then you should set this option accordingly. These will pose
less of a risk than unsafe controls and you shouldn’t need
to set this to Disable at all.
Java Permissions.
Setting this to High Safety is recommended so that
any Java content run by the Microsoft Java VM is run with
minimal system privileges.
Access data
sources across domains. This
option sets how MSXML (EXtensible Markup
Language) accesses data across the various security
zones. The default settings for this are sufficiently
secure however, that being Internet – Disable,
Local intranet – Prompt, Trusted sites
– Enable and Restricted sites – Disable.
For more detailed information regarding this option check
MSDN's XML Client Security
article.
Allow META REFRESH.
The meta refresh html tag allows a webpage to be reloaded or
(more commonly) redirects to another webpage. While
this may seem innocent enough, e.g. our
Forums (and
others) use this tag to redirect you the thread where you
posted a comment/reply to – heck, even
Gibson Research Corporation
uses it, it’s also associated with many security
vulnerabilities as it can allow them to be auto-executed. As
such it would be advisable to set this to Prompt. See
further down for how to minimize the adverse effects on
convenience this can have, e.g. Forums reloading a thread
after you post a comment/reply.
