Configuring Microsoft products for safety, security and privacy

Permitting 'trusted senders' to 'download' richer content - Web sites

Occasionally you will want or need to see a web site (OR AN E-MAIL - see How to trust an e-mail) as the sender intended you to view it - images, interactivity etc.. Bear in mind that if you are not absolutely certain that the sender was fully in control of their PC when the e-mail was sent you may be exposing yourself to a serious computer virus that could cost £300-500UKP to fix and a lot more in terms of lost business, data and many other bad consequences.

To view a Web Site with full graphics/interactivity "etc." and associated risks

By taking our advice you will have disabled certain MS features that are by far the biggest security holes for the consumer in the MS product line. The consequence of this change is that highly interactive sites that previously worked may not function correctly without intervention - they need to be "promoted".

95% of the sites that have problems can be made to function as intended by promoting them from the "Internet Zone" (level 2) to one higher - the "Local Intranet" (3) or even the "Trusted" (4) zone. Two caveats to doing so:

1. Only do this if you are absolutely certain that the owner, manager, developer and service provider of the site are completely reputable, competent and have not been compromised.
2. There are situations where this will not suffice. In particular if a site needs to have a Plug-In downloaded or even a different version of a Plug-in before the site will become "alive".

   It is our strong recommendation that no Plug-ins other than Acrobat Reader should be allowed to run and under no circumstances should you download a Plug-in at the insistence of a site because there is a reasonable chance that they will direct you to a site that will look reputable but in fact will download code that will give control of your PC to ill-intentioned people on the web.

Notes:

• The other 5% would have failed anyway!, even if you had made no changes.
• We leave level 1 for the Untrusted Zone where you can put sites that you really do not want to do anything with your PC at all!

Making the Local Intranet Zone a little safer

Even for sites you trust, you should customise SOME settings to lower the level of threat by making IE prompt prior to taking an action rather than it be automatic which is what you get when you tick 'enabled'.

To change the settings you should single click on the symbol (PC in front of WWW globe) and then click on customise.

The ones that I normally switch to prompt (if not already the default - as marked with an * below) are:

• * Download SIGNED Active-X controls

  (Download UNSIGNED Active-X controls and Initialise and script ActiveX NOT marked as safe for scripting should already be Disabled)

• * Access data sources across domains
• * Allow Web pages to use restricted protocols for active content
• Drag and Drop or copy and paste files
• * Installation of Desktop items
• * Launching programs and files in an IFRAME
• Navigate sub-frames across different domains
• Web sites in less priveliged web content zones can navigate into this zone
• Allow paste operations via script
• .

I would also disable the pop-up blocker for these sites (two thirds down the page) and set the User authentication (very bottom) to prompt for user name and password

Note that there will probably be only 6 out of all of the above that you need to change from their default for this zone AND you may want to reset SOME of them to Enable rather than prompt if you get too much irritation from the prompts because the sites that you place there use technology in a manner which causes them to create prompts. Another option is to move the domain yet higher (need to remove them from this zone first) into the trusted zone (Green circle with white tick inside) but obviously this is only for the most trusted sites.

To promote a site from the (now restricted!) Internet Zone

You may wish to use the Microsoft instructions as at Dec'06 or ours as follows...

The instructions below are my attempt at making that easier and you will see some real examples below. Note that the 'Trusted Zone' is the very highest level of trust and normally reserved for the 'must have' sites or sub-sites such as Windows Update - *.windowsupdate.microsoft.com is one of few examples.

Although the 'Local Zone' takes an extra 2 clicks to add sites it should be the zone chosen for any TRUSTED site with which you are having problems.

Bear in mind that legitimate sites will often use third-party providers of I.T. services as part of their own site - either as a subdomain or an explicit 3rd party domain such as 'ad.doubleclick.net' - you need to trust the competence and integrity of the owners of the prime site that they will not allow you to be compromised by their suppliers.

Also bear in mind that legitimate sites will have marketing as well as contractual aspects to their site. Whereas you may trust your Bank to manage your money you have to ask yourself the question - do I trust the people in marketing who are responsible for all of the Junk through my letter box? Trusting the whole of a vast domain should be avoided if possible.

Explorer - upgrading a site to a higher ZONE SETTING

Firstly you should ensure that IE is showing you the zone of web sites as you visit them, the following should be at the very bottom of your browser window. The words and images may not be exactly as shown.

Note that this (Status Bar) is very useful for your SECURITY because it allows you to see the ACTUAL address of web sites prior to you clicking on any link! As a slight aside - this status bar is really useful in Outlook Express too, see How to trust an e-mail

	...
		The ZONE is above - i.e. Internet in this case. Note that other Zones are named: Local Intranet, Trusted sites and Restricted sites as shown below

If the above is not shown at the bottom of your (Internet Explorer) browser then click on 'View' at the top of the browser (after File and Edit - see image to right) and ensure that the phrase 'Status Bar' has a tick in front of it. Left click upon the words 'Status Bar' if there is not one. You MAY need to exit the browser and launch it again to get the above to display.

The simple approach is to click on the 'Zone' in the right of the status bar at the bottom of the Internet Explorer Window as shown above. Left Click on the "Local Intranet Zone" which is symbolised by a small picture of a Globe with a PC in front of it. Then Click on "Sites". You should check that all of the prompts that start with the words "Include all" are DE-selected and then click on "Advanced". You can then enter the Web Site address that you wish to be promoted (e.g. www.tony-blair.gov.uk) and then click on "Add". If there is a prompt "require https" for these sites then de-select it. One of the reasons for removing the 'Include all' options is on the MS site as KB303650 Intranet site is identified as an Internet site when you use an FQDN or an IP address . Adding sites to the "Trusted" zone is simpler in that after single left-clicking the zone (Green with white tick) then the Sites option takes you directly to a prompt for site names. You should DE-select the option that says "insist on https connection to these sites". If you then click on "OK" three times! you should find that the site will now have a changed symbol in the status bar at the bottom of MSIE which shows that the site is being treated as "Local Intranet" rather than "Internet".
	En-route to adding specific sites you will always be prompted for some generic inclusions - unless you know what you are doing you should disable all of these as anyone who (for instance) managed to encroach on your Wireless LAN could potentially trick you into running code from a dummy site which they could have running on a Laptop in a nearby Car Park for criminal intent.	Adding sites is straightforward and IE may offer the site for you to add without typing... on the whole be specific if the site is very large - e.g. microsoft.com then only allow subdomains or folder (prefix vs suffix). * at the front permits all subdomains.
		To the left is how you select the Trusted Zone - then click 'Sites'. Above is an example of adding the whole of the bbc.co.uk site to your trusted zone. Demanding secure connection (https:) doesn't tend to work even with banks as they typically have many (sub-)domains of which only some use https:.
	Above and to the right are what MS IE will show in the very bottom right when you visit sites you have put in the Trusted and Local Zones.

I hope that has been useful. Any Comments, suggestions or corrections to: Contact us please. This would be especially useful if the software environment you have is different to mine and the headings, text or prompts are different.