How to use security zones in Internet Explorer (174360)
The information in this article applies to:
- Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 1
- Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 2
- Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 1
- Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 2
- Microsoft Internet Explorer 5.0 for Windows NT 4.0
- Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 1
- Microsoft Internet Explorer 4.01 for Windows NT 4.0 SP 2
- Microsoft Internet Explorer 4.0 for Windows NT 4.0
- Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 1
- Microsoft Internet Explorer 5.5 for Windows Millennium Edition SP 2
- Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 1
- Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 2
- Microsoft Internet Explorer 5.01 for Windows 98 Second Edition SP 1
- Microsoft Internet Explorer 5.01 for Windows 98 Second Edition SP 2
- Microsoft Internet Explorer 5.5 for Windows 98 SP 1
- Microsoft Internet Explorer 5.5 for Windows 98 SP 2
- Microsoft Internet Explorer 5.01 for Windows 98 SP 1
- Microsoft Internet Explorer 5.01 for Windows 98 SP 2
- Microsoft Internet Explorer 5.0 for Windows 98
- Microsoft Internet Explorer 4.01 for Windows 98 SP 2
- Microsoft Internet Explorer 5.5 for Windows 95 SP 1
- Microsoft Internet Explorer 5.5 for Windows 95 SP 2
- Microsoft Internet Explorer 5.01 for Windows 95 SP 1
- Microsoft Internet Explorer 5.01 for Windows 95 SP 2
- Microsoft Internet Explorer 5.0 for Windows 95
- Microsoft Internet Explorer 4.01 for Windows 95 SP 1
- Microsoft Internet Explorer 4.01 for Windows 95 SP 2
- Microsoft Internet Explorer 4.0 for Windows 95
- Microsoft Internet Explorer 5.5 for Windows 2000 SP 1
- Microsoft Internet Explorer 5.5 for Windows 2000 SP 2
- Microsoft Internet Explorer 5.01 for Windows 2000 SP 1
- Microsoft Internet Explorer 5.01 for Windows 2000 SP 2
- Microsoft Internet Explorer version 6 for Windows XP
- Microsoft Internet Explorer version 6 for Windows 2000
- Microsoft Internet Explorer version 6 for Windows NT 4.0
- Microsoft Internet Explorer version 6 for Windows Millennium Edition
- Microsoft Internet Explorer version 6 for Windows 98 Second Edition
- Microsoft Internet Explorer version 6 for Windows 98
This article was previously published under Q174360 SUMMARY The article describes the types of security zones in
Microsoft Internet Explorer, and how to configure different levels of security
for Web sites that you visit.MORE INFORMATION Internet Explorer includes five predefined zones: Internet,
Local Intranet, Trusted Sites, Restricted Sites, and My Computer. You
can configure the My Computer zone (which contains files on your local
computer) only from the Microsoft Internet Explorer Administration Kit (IEAK);
these settings are not available in the browser interface. Administrators
should use the default settings for this zone unless your organization has a
specific requirement. Lower security settings can result in security risk,
whereas higher security settings can impair functionality. You can
set the security options that you want for each zone, and then add or remove
Web sites from the zones, depending on your level of trust in a Web site. Types of Security ZonesInternet Zone This zone contains Web sites that are not on your computer or on
your local intranet, or that are not already assigned to another zone. The
default security level is Medium. Local Intranet Zone By default, the Local Intranet zone contains all of the network
connections that were established by using a Universal Naming Convention (UNC)
path, and Web sites that bypass the proxy server or have names that do not
include periods (for example, http://local), provided that they are not
assigned to either the Restricted Sites or Trusted Sites zone. The default
security level for the Local Intranet zone is set to Medium (Internet Explorer
4) or Medium-low (Internet Explorer 5 and 6). Note that when you access a local
area network (LAN) or an intranet share, or an intranet Web site by using an
Internet Protocol (IP) address or by using a fully qualified domain name
(FQDN), the share or Web site is identified as being in the Internet zone
instead of in the Local intranet zone.
For more information
about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
303650
Intranet site is identified as an Internet site when you use an FQDN or an IP address
Trusted Sites Zone This zone contains Web sites that you trust as safe (such as Web
sites that are on your organization's intranet or that come from established
companies in whom you have confidence). When you add a Web site to the Trusted
Sites zone, you believe that files you download or that you run from the Web
site will not damage your computer or data. By default, there are no Web sites
that are assigned to the Trusted Sites zone, and the security level is set to
Low. Restricted Sites Zone This zone contains Web sites that you do not trust. When you add
a Web site to the Restricted Sites zone, you believe that files that you
download or run from the Web site may damage your computer or your data. By
default, there are no Web sites that are assigned to the Restricted Sites zone,
and the security level is set to High. The Restricted Sites zone
contains Web sites that are not on your computer or on your local intranet, or
that are not already assigned to another zone. The default security level is
Medium. Note Security settings are applied only to files on your computer that
are in the Temporary Internet Files folder. These settings use the security
level of the Web site from which the files came. All other files are assumed to
be safe. How to Configure Security Zones To change the default security level for a zone, customize
security options in a zone, or assign a Web site to a specific zone. To do
this, use the steps in one of the following sections. How to Change the Default Security Level for a Zone For each security zone in Internet Explorer 4.x, you can choose
the High, Medium, Low, or Custom security level setting. In Internet Explorer 5
and 6, you can choose the High, Medium, Medium-low, Low, or Custom Level
security setting. To change the default security level for a zone:
- In Internet Explorer 4.x, click Internet Options on the View menu. In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
- In
Internet Explorer 4.x, on
the Security tab, click the zone for which you want to change security levels
in the Zone box.
In
Internet Explorer 5 and 6, on the Security tab, click the zone
to which you want to assign a Web site under Select a Web content zone
to specify its security settings. - Click the security level that you want to use for the zone,
and then click OK.
How to Customize Security Settings in a Zone The Custom option gives advanced users and administrators more
control over all security options. For example, the Download Unsigned ActiveX
Controls option is disabled by default in the Local Intranet zone (Medium
security is the default setting for the Local Intranet zone). In this case,
Internet Explorer may not run any ActiveX controls in your organization's
intranet because most organizations do not sign ActiveX controls that are only
used internally. For Internet Explorer to run unsigned ActiveX controls in your
organization's intranet, change the security level for the Download Unsigned ActiveX Controls option to Prompt or Enable for the Local intranet zone. You an set the following security
options by using the Custom setting:
- Access to files, ActiveX controls, and scripts
- The level of capabilities given to Java programs
- If sites must be identified with Secure Sockets Layer (SSL)
authentication
- Password protection by using Windows NT Challenge/Response
(NTLM). Depending on which zone a server is in, Internet Explorer can send your
password automatically, prompt you for your user name and password, or deny any
logon requests
To customize security options in a zone:
- In Internet Explorer 4.x, click Internet Options on the View menu.
In Internet Explorer 5 and 6, click Internet Options on the Tools menu. - In
Internet Explorer 4.x, on
the Security tab, click the zone that you want to customize in the Zone box.
In
Internet Explorer 5 and 6, on the Security tab, click the zone
to which you want to assign a Web site under Select a Web content zone
to specify its security settings. - Click Custom (For Expert Users), and then click Settings.
In Internet Explorer 5 and 6, click Custom Level. - Under Reset Custom Settings, click the security level for the entire zone in the Reset To box, and then click Reset.
- Under the section for which you want to customize security
settings, click the option that you want, click OK, and then click OK again.
To assign a Web site to a specific security zone:
- In Internet Explorer 4.x, click Internet Options on the View menu.
In Internet Explorer 5 and 6, click Internet Options on the Tools menu. - In
Internet Explorer 4.x, on
the Security tab, click the zone to which you want to assign a Web site in the
Zone box, and then click Add Sites.
In
Internet Explorer 5 and 6, on the Security tab, click the zone
to which you want to assign a Web site under Select a Web content zone
to specify its security settings, and then click
Sites.
If you add a Web
site to the Local Intranet zone, you can select the types of Web sites that you
want to include in the zone, and then click Advanced to add specific sites. The following rules apply to the Local
Intranet zone options. Note that adding a site to any zone takes precedence
over the following rules:
- Include all local (intranet) sites that are not listed
in other zones: Intranet sites have names that do not include periods (for
example, http://local). A site name such as http://www.microsoft.com is not
local because it contains periods. This site is assigned to the Internet zone.
The intranet site name rule applies to both "file:" and "http:" addresses. Note
that top-level Internet domains may be accessible by using a name that does not
contain periods. If you can gain access to generic (.com, .org, .net, .edu,
.gov, .mil, or .int) or country code domains (.us, .jp, .uk, and so on), clear
this option to prevent these sites from using Local Intranet security settings.
For additional information about top-level domains, visit the following
Internet Corporation For Assigned Names and Numbers (ICANN) Web site:
- Include all sites that bypass the proxy server: Typical
intranet configurations use a proxy server to gain access to the Internet with
a direct connection to intranet servers. This setting uses this kind of
configuration information to distinguish intranet from Internet content for
purposes of zones. If the proxy server is configured differently, clear this
option and use other options to designate files that are assigned to the Local
Intranet zone. On computers that do not have a proxy server, this setting has
no effect.
- Include all network paths (UNCs): Network paths (for
example, \\local\file.txt) are typically used for local network content that
should be included in the Local Intranet zone. If there are network paths that
should not be in the Local Intranet zone, clear this option and use other
options to designate files that are assigned to the Local Intranet zone. For
example, in certain Common Internet File System (CIFS) configurations, it is
possible for a network path to reference Internet content.
- Type a Web address in the Add this Web site to the
zone box, and then click Add.
- Click OK, and then click OK again.
When you add sites to the Local Intranet or Trusted Sites
zones, you can require that server verification be used if you click to select
the Require server verification (https:) for all sites in this
zone check box. Note You cannot assign a Web site to the Internet zone. The Internet
zone contains all Web sites that are not on your computer or in the local
intranet zone, or that are not already assigned to another
zone.
For more information about how to resolve behaviors that are not
resolved by the preceding steps, click the following article number to view the article in the Microsoft Knowledge Base:
319585
"Software update incomplete" error message when you visit the Windows Update Web site
Microsoft provides third-party contact information to help you find
technical support. This contact information may change without notice.
Microsoft does not guarantee the accuracy of this third-party contact
information.
Modification Type: | Major | Last Reviewed: | 3/1/2006 |
---|
Keywords: | kbenv kbhowto KB174360 |
---|
|