How to Use Security Zones in Internet Explorer

ID: Q174360

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about obtaining support for a Beta release, please see the documentation included with the Beta product files, or check the Web location from which you downloaded the release.

The information in this article applies to:

Microsoft Internet Explorer versions 4.01 Service Pack 2, 5 for Windows 98
Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows 95
Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows NT 4.0
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional

SUMMARY

The article describes the types of security zones in Internet Explorer, and how to configure different levels of security for Web sites that you visit.

MORE INFORMATION

Internet Explorer includes five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer.

You can configure the My Computer zone (which contains files on your local computer) only from the Microsoft Internet Explorer Administration Kit (IEAK); these settings are not available in the browser interface. Administrators should use use the default settings for this zone unless your organization has a specific requirement. Lower security settings could result in security risk, whereas higher security settings could impair functionality.

You can set the security options you want for each zone, and then add or remove Web sites from the zones depending on your level of trust in a Web site.

Types of Security Zones

Local Intranet Zone:

By default, the Local Intranet zone contains all network connections established using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local) provided they are not assigned to the Restricted Sites or Trusted Sites zone. The default security level for the Local Intranet zone is set to Medium (Internet Explorer 4) or Medium-low (Internet Explorer 5).

Trusted Sites Zone:

This zone contains Web sites that you trust as being safe (such as those on your company's intranet or from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or run from the Web site will not damage your computer or data. By default, there are no Web sites assigned to the Trusted Sites zone, and the security level is set to Low.

Restricted Sites Zone:

This zone contains Web sites you do not trust. When you add a Web site to the Restricted Sites zone, you believe that files you download or run from the Web site may damage your computer or data. By default, there are no Web sites assigned to the Restricted Sites zone, and the security level is set to High.

Internet Zone:

This zone contains Web sites that are not on your computer or local intranet, or that are not already assigned to another zone. The default security level is Medium.

NOTE: Security settings are applied only to files on your computer that are in the Temporary Internet Files folder (using the security level of the Web site from which the files came). All other files are assumed to be completely safe.

How to Configure Security Zones

To change the default security level for a zone, customize security options within a zone, or assign a Web site to a specific zone, follow the steps in the appropriate section below:

Changing the Default Security Level for a Zone:

For each security zone in Internet Explorer 4.x, you can choose the High, Medium, Low, or Custom security level setting. In Internet Explorer 5, you can choose the High, Medium, Medium-low, Low, or Custom Level security setting.

To change the default security level for a zone:

In Internet Explorer 4.x, click Internet Options on the View menu. In Internet Explorer 5, click Internet Options on the Tools menu.

On the Security tab, click the zone for which you want to change security levels in the Zone box.

Click the security level you want to use for the zone, and then click OK.

Although Microsoft recommends the High security setting for Web sites that are not in the Trusted Sites zone, you can safely use the Medium security setting in the Trusted Sites zone.

Customizing Security Settings Within a Zone:

The Custom option gives advanced users and administrators more control over all security options. For example, the Download Unsigned ActiveX Controls option is disabled by default in the Local Intranet zone (Medium security is the default setting for the Local Intranet zone). In this case, Internet Explorer may not run any ActiveX controls in your company's intranet because most companies do not sign ActiveX controls that are used internally only. In order for Internet Explorer to run ActiveX controls in your company's intranet, you would want to change the security level for the Download Unsigned ActiveX Controls option to Prompt or Enable. You can set the following security options using the Custom setting:

Access to files, ActiveX controls, and scripts.

The level of capabilities given to Java programs.

Whether sites must be identified with Secure Sockets Layer (SSL) authentication.

Password protection using Windows NT Challenge/Response (NTLM). Depending on which zone a server is in, Internet Explorer can send your password automatically, prompt you for your user name and password, or simply deny any login requests.

To customize security options within a zone, follow these steps:

In Internet Explorer 4.x, click Internet Options on the View menu. In Internet Explorer 5, click Internet Options on the Tools menu.

On the Security tab, click the zone you want to customize in the Zone box.

Click Custom (For Expert Users), and then click Settings. In Internet Explorer 5, click Custom Level.

Under Reset Custom Settings, click the security level for the entire zone in the Reset To box, and then click Reset.

Under the section for which you want to customize security settings,click the option you want, click OK, and then click OK again.

To assign a Web site to a specific security zone, follow these steps:

In Internet Explorer 4.x, click Internet Options on the View menu. In Internet Explorer 5, click Internet Options on the Tools menu.

On the Security tab, click the zone you want to assign a Web site to in the Zone box, and then click Add Sites.

If you add a Web site to the Local Intranet zone, you can select the types of Web sites you want to include in the zone, and then click Advanced to add specific sites. The following rules apply to the Local Intranet zone options. Note that adding a site to any zone takes precedence over the following rules:
- Include all local (intranet) sites not listed in other zones: Intranet sites have names that do not include periods (for example, http://local). A site name such as http://www.microsoft.com is not local because it contains periods. This site is assigned to the Internet zone. The intranet site name rule applies to "file:" as well as "http:" addresses. Note that top-level Internet domains may be accessible using a name that does not contain periods. If you can gain access to generic (.com, .org, .net, .edu, .gov, .mil, or .int) or country code domains (.us, .jp, .uk, and so on), you should clear this option to prevent these sites from using Local Intranet security settings. For additional information about top-level domains, see the following Web site:
  http://www.iana.org/top-level-domains.html
  The third-party contact information included in this article is provided to help you find the technical support you need. This contact information is subject to change without notice. Microsoft in no way guarantees the accuracy of this third-party contact information.
- Include all sites that bypass the proxy server: Typical intranet configurations use a proxy server to gain access to the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for purposes of zones. If the proxy server is otherwise configured, you should clear this option and use other options to designate files that are assigned to the Local Intranet zone. In systems that do not have a proxy server, this setting has no effect.
- Include all network paths (UNCs): Network paths (for example, "\\local\file.txt") are typically used for local network content that should be included in the Local Intranet zone. If there are network paths that should not be in the Local Intranet zone, you should clear this option and use other options to designate files that are assigned to the Local Intranet zone. For example, in certain Common Internet File System (CIFS) configurations, it is possible for a network path to reference Internet content.

Type a Web address in the Add this Web site to the zone box, and then click Add.

Click OK, and then click OK again.

When you add sites to the Local Intranet or Trusted Sites zones, you can require that server verification be used by clicking to select the Require server verification (https:) for all sites in this zone check box.

NOTE: You cannot assign a Web site to the Internet zone. The Internet zone contains all Web sites that are not on your computer or in the local intranet zone, or that are not already assigned to another zone.

Additional query words:


Keywords          : kbenv msiew95 msient msiew98 
Version           : WINDOWS:2000,4.0,4.01,4.01 Service Pack 1,4.01 Service Pack 2,5
Platform          : WINDOWS 
Issue type        : kbhowto

Last Reviewed: July 23, 1999