How to use security zones in Internet Explorer (174360)

MORE INFORMATION

Internet Explorer includes five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer.

You can configure the My Computer zone (which contains files on your local computer) only from the Microsoft Internet Explorer Administration Kit (IEAK); these settings are not available in the browser interface. Administrators should use the default settings for this zone unless your organization has a specific requirement. Lower security settings can result in security risk, whereas higher security settings can impair functionality.

You can set the security options that you want for each zone, and then add or remove Web sites from the zones, depending on your level of trust in a Web site.

Types of Security Zones

Internet Zone

This zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone. The default security level is Medium.

Local Intranet Zone

By default, the Local Intranet zone contains all of the network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), provided that they are not assigned to either the Restricted Sites or Trusted Sites zone. The default security level for the Local Intranet zone is set to Medium (Internet Explorer 4) or Medium-low (Internet Explorer 5 and 6). Note that when you access a local area network (LAN) or an intranet share, or an intranet Web site by using an Internet Protocol (IP) address or by using a fully qualified domain name (FQDN), the share or Web site is identified as being in the Internet zone instead of in the Local intranet zone. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

Trusted Sites Zone

This zone contains Web sites that you trust as safe (such as Web sites that are on your organization's intranet or that come from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or that you run from the Web site will not damage your computer or data. By default, there are no Web sites that are assigned to the Trusted Sites zone, and the security level is set to Low.

Restricted Sites Zone

This zone contains Web sites that you do not trust. When you add a Web site to the Restricted Sites zone, you believe that files that you download or run from the Web site may damage your computer or your data. By default, there are no Web sites that are assigned to the Restricted Sites zone, and the security level is set to High.

The Restricted Sites zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone. The default security level is Medium.

Note Security settings are applied only to files on your computer that are in the Temporary Internet Files folder. These settings use the security level of the Web site from which the files came. All other files are assumed to be safe.

How to Configure Security Zones

To change the default security level for a zone, customize security options in a zone, or assign a Web site to a specific zone. To do this, use the steps in one of the following sections.

How to Change the Default Security Level for a Zone

For each security zone in Internet Explorer 4.x, you can choose the High, Medium, Low, or Custom security level setting. In Internet Explorer 5 and 6, you can choose the High, Medium, Medium-low, Low, or Custom Level security setting.

To change the default security level for a zone:

1. In Internet Explorer 4.x, click Internet Options on the View menu. In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
2. In Internet Explorer 4.x, on the Security tab, click the zone for which you want to change security levels in the Zone box.
   
   In Internet Explorer 5 and 6, on the Security tab, click the zone to which you want to assign a Web site under Select a Web content zone to specify its security settings.
3. Click the security level that you want to use for the zone, and then click OK.

How to Customize Security Settings in a Zone

The Custom option gives advanced users and administrators more control over all security options. For example, the Download Unsigned ActiveX Controls option is disabled by default in the Local Intranet zone (Medium security is the default setting for the Local Intranet zone). In this case, Internet Explorer may not run any ActiveX controls in your organization's intranet because most organizations do not sign ActiveX controls that are only used internally. For Internet Explorer to run unsigned ActiveX controls in your organization's intranet, change the security level for the Download Unsigned ActiveX Controls option to Prompt or Enable for the Local intranet zone. You an set the following security options by using the Custom setting:

• Access to files, ActiveX controls, and scripts
• The level of capabilities given to Java programs
• If sites must be identified with Secure Sockets Layer (SSL) authentication
• Password protection by using Windows NT Challenge/Response (NTLM). Depending on which zone a server is in, Internet Explorer can send your password automatically, prompt you for your user name and password, or deny any logon requests

To customize security options in a zone:

1. In Internet Explorer 4.x, click Internet Options on the View menu.
   
   In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
2. In Internet Explorer 4.x, on the Security tab, click the zone that you want to customize in the Zone box.
   
   In Internet Explorer 5 and 6, on the Security tab, click the zone to which you want to assign a Web site under Select a Web content zone to specify its security settings.
3. Click Custom (For Expert Users), and then click Settings.
   
   In Internet Explorer 5 and 6, click Custom Level.
4. Under Reset Custom Settings, click the security level for the entire zone in the Reset To box, and then click Reset.
5. Under the section for which you want to customize security settings, click the option that you want, click OK, and then click OK again.

To assign a Web site to a specific security zone:

1. In Internet Explorer 4.x, click Internet Options on the View menu.
   
   In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
2. In Internet Explorer 4.x, on the Security tab, click the zone to which you want to assign a Web site in the Zone box, and then click Add Sites.
   
   In Internet Explorer 5 and 6, on the Security tab, click the zone to which you want to assign a Web site under Select a Web content zone to specify its security settings, and then click Sites.
   
   If you add a Web site to the Local Intranet zone, you can select the types of Web sites that you want to include in the zone, and then click Advanced to add specific sites. The following rules apply to the Local Intranet zone options. Note that adding a site to any zone takes precedence over the following rules:
   • Include all local (intranet) sites that are not listed in other zones: Intranet sites have names that do not include periods (for example, http://local). A site name such as http://www.microsoft.com is not local because it contains periods. This site is assigned to the Internet zone. The intranet site name rule applies to both "file:" and "http:" addresses. Note that top-level Internet domains may be accessible by using a name that does not contain periods. If you can gain access to generic (.com, .org, .net, .edu, .gov, .mil, or .int) or country code domains (.us, .jp, .uk, and so on), clear this option to prevent these sites from using Local Intranet security settings. For additional information about top-level domains, visit the following Internet Corporation For Assigned Names and Numbers (ICANN) Web site:

     http://www.icann.org/tlds

   • Include all sites that bypass the proxy server: Typical intranet configurations use a proxy server to gain access to the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for purposes of zones. If the proxy server is configured differently, clear this option and use other options to designate files that are assigned to the Local Intranet zone. On computers that do not have a proxy server, this setting has no effect.
   • Include all network paths (UNCs): Network paths (for example, \\local\file.txt) are typically used for local network content that should be included in the Local Intranet zone. If there are network paths that should not be in the Local Intranet zone, clear this option and use other options to designate files that are assigned to the Local Intranet zone. For example, in certain Common Internet File System (CIFS) configurations, it is possible for a network path to reference Internet content.
3. Type a Web address in the Add this Web site to the zone box, and then click Add.
4. Click OK, and then click OK again.

When you add sites to the Local Intranet or Trusted Sites zones, you can require that server verification be used if you click to select the Require server verification (https:) for all sites in this zone check box.

Note You cannot assign a Web site to the Internet zone. The Internet zone contains all Web sites that are not on your computer or in the local intranet zone, or that are not already assigned to another zone.

For more information about how to resolve behaviors that are not resolved by the preceding steps, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.