IE 6 is getting a pretty bad reputation for security – this news site has reported many times on a wide range of security flaws effecting the browser, many of which immediately after discovery were afflicted with exploit code. Microsoft remains committed to reversing this situation with IE 7, the next incarnation of the browser, and as such is concentrating very much on security in this next version of the application.
The company has now detailed several changed in the way IE 7 will classify Web sites for security, hoping that the ultimate effect will be to reduce the likelihood that users will fall victim to malicious code. Currently, IE has four classifications for Web sites: Internet, local intranet, trusted, and restricted. The browser then uses these classifications to determine if certain functions will be allowed to execute – for example if Active X controls can run or not. For IE 7, Microsoft is working on preventing the browser from running malicious code in less restrictive security zones.
The local intranet zone is not really relevant for home users, the engineers said. Instead, a change has been made to IE 7 so that, when a PC is not on a managed corporate network, IE will treat apparent intranet sites as if they were on the Internet.
"This change effectively removes the attack surface of the intranet zone for home PC users." they wrote. They credit the change to an idea from a summer intern working at the company.
However, if a machine is running on a domain, IE 7 will automatically detect the intranet sites and revert to the intranet zone settings. Network administrators will be able to set group policies to ensure the browser runs as desired, the engineers wrote.
In the future, the Internet zone will run in what the company calls protected mode. This should help prevent the kinds of attacks that IE has been vulnerable to in the past. Another new feature, dubbed ActiveX Opt-In, will reduce potential damage from malicious Active X controls in the Internet zone.