Site hosted by Angelfire.com: Build your free website today!
Chapter 31: Network and Internet Security

PreviousChapterContentsGlossaryNext

Managing Which Files Internet Explorer Downloads

Internet Explorer can retrieve a wide variety of files and objects, ranging from innocuous plain text files and images to potentially destructive executable programs. Some Web pages increase the amount of interactivity they can offer by downloading small programs to run on your computer. For example, rather than transmitting the individual frames of an animation over the Internet, a Web server may send an animation-constructing program that runs on your computer. A financial Web site may download a program that displays a scrolling stock ticker. Typically, this process is invisible to the user--the interaction or the animation just happens, without calling your attention to how it happens.

While these programs are useful, they also create security issues. If Web sites can put useful programs on your computer and run them without informing you, precautions must be taken to make sure that they can't also put harmful programs on your computer. Internet Explorer takes certain precautions automatically, and allows you the option to choose additional precautions.

Internet Explorer's downloaded object security allows you to decide, based on both the Web site where an object came from and the type of object, whether to retrieve an object, and once it's retrieved, what to do with it. Internet Explorer defines three levels of object access (low, medium, and high) to give varying amounts of access to your computer. You can also define custom access permissions, if the three standard settings don't meet your needs.

What Are Java, JavaScript, VBScript, and ActiveX?

Java is a language for sending small applications (called applets) over the Web, so that they can be executed by your computer. JavaScript is a language for extending HTML to embed small programs called scripts in Web pages. VBScript, a language that resembles Microsoft's Visual Basic, can be used to add scripts to pages that are displayed by Internet Explorer. Anything that VBScript can do, JavaScript (which Microsoft calls JScript) can do, too and vice versa.

ActiveX controls, like Java, are a way to embed executable programs into a Web page. Unlike Java and JavaScript, but like VBScript, ActiveX is a Microsoft system that is not used by Navigator or most other browsers. When Internet Explorer encounters a Web page that uses ActiveX controls, it checks to see whether that particular control is already installed and if it is not, IE installs the control on your machine.

caution ActiveX controls are considerably more dangerous than JavaScript or VBScript scripts or Java applets. Java applets and JavaScript scripts are run in a "sandbox" inside your Web browser, which limits the accidental or deliberate damage they can do; and VBScript scripts are run by an interpreter, which should limit the types of damage they can do. However, ActiveX controls are programs with full access to your computer's resources.

What Are Internet Explorer's Zones?

Internet Explorer divides the world into four zones:

Downloaded ActiveX controls and other executable objects can and should be signed by their authors using a certificate scheme similar to that used for validating remote servers.

For each of the four zones into which a Web page can fall, you can set the security to high, medium, medium-low, or low. For each zone, you can set exactly which remote operations you're willing to perform. To prevent downloading and running software that might infect your system with a virus, see the section "Preventing Infection by Viruses" earlier in this chapter.

Controlling Your Download Security

The rules governing scripts and applets are set zone by zone on the Security tab of the Internet Options dialog box. To examine or change these settings:

  1. Open the Internet Options dialog box by selecting Tools | Internet Options from the Internet Explorer menu bar.
  2. Click the Security tab of the Internet Options dialog box (as shown in Figure 31-1).
[figure]
Figure 31-1: Security tab of the Internet Options dialog box
  1. Select the security zone you want to examine or change. The rest of the information on the Security tab changes to show the settings for that zone.
  2. If you want to change the security setting of a zone, move the slider on the Security tab of the Internet Options dialog box. (The slider doesn't appear if the zone has been given custom settings. To reset such a zone to one of the standard settings, click the Default Level button. When the slider reappears, you can move it to the desired setting.)
  3. If you want to change the security settings of the selected zone, scroll through the Security Settings dialog box until you see the item you want to change. Change an item by selecting or deselecting its check box or by selecting a different radio button than the current selection.
  4. Click OK to close each open dialog box. Click Yes in the confirmation box that asks if you want to change the security settings.

Displaying and Changing Settings for Zones

To add or delete a Web site from the Local Intranet, Trusted Sites, or Restricted Sites Zones, click the zone on the Security tab of the Internet Options dialog box. Click the Sites button. (There's no button for the Internet Zone, since it contains all the Web sites that are not contained in the other three zones.) You see a dialog box like the one shown here:
[image]

If you want to include only sites that have secure servers, leave the Require Server Verification (https:) For All Sites In This Zone check box selected. If you want to be able to add any Web site to the list of trusted sites for this zone, deselect the check box. To add a site, type its URP (including http:// or https://) in the top box and click Add. To remove a site, click in the Web Sites box and click Remove.

Controlling Which Web Sites Are in the Local Intranet Zone

The Local Intranet Zone normally contains sites on your own local area network and is set up that way by your network administrator when he or she sets up the network. When you click Add Sites on the Security tab, Windows displays the Local Intranet Zone dialog box, with these three check boxes:

You can also click the Advanced button to add sites individually, as for Trusted and Restricted sites. See Chapter 30 for more information on how networks connect to the Internet.

Controlling Which Web Sites Are in the Trusted and Restricted Sites Zones

The Trusted and Restricted Sites zones start with no Web sites listed; you must specify the Web sites to include in these zones. To specify sites, select the zone to which you want to add sites and click Sites on the Security tab of the Internet Options dialog box. You see the Trusted Sites or the Restricted Sites dialog box, the first of which is shown in Figure 31-2. To add a new site, type its full address, starting with http:// or https://, into the Add This Web Site To The Zone box and click Add. The Web site appears in the Web Sites list. To remove a site, select it in the Web Sites list and click Remove. You can require a verified secure connection to all sites in this zone by clicking the Require Server Verification (https:) For All Sites In This Zone check box at the bottom of the dialog box; when selected, this setting prevents you from adding any sites that don't support HTTPS, which is described in the section "Securing Your Web Communication with Encryption and Certificates" later in this chapter.
[figure]
Figure 31-2: Adding sites to the Trusted Sites zone

Managing Java and JavaScript

The security settings that affect how Internet Explorer deals with Java and JavaScript programs are in the Microsoft VM and Scripting sections of the Security Settings dialog box. Follow these steps:

  1. On the Security tab of the Internet Options dialog box, click the zone for which you want to change or see the settings.
  2. Click the Custom Level button to display the Security Settings dialog box, shown here:

[image]
  1. You may change what these applets and scripts are allowed to do on your computer, or even disable Java or JavaScript entirely, by choosing Disable (Internet Explorer does not run this type of program downloaded from this zone), Enable (IE does run this type of program downloaded from this zone), or Prompt (ask before running the program).

Managing ActiveX Controls

We have never been big fans of ActiveX controls. They allow Web sites to have too much power over your system and are hard to monitor. If you should happen to download and install a rogue ActiveX control by mistake, it could (on its own) download and install lots more rogue ActiveX controls--which would then be permanent parts of your software environment, even when you are offline. None of this would appear the least bit suspicious to any virus-detecting software you might own, because ActiveX controls aren't viruses: They have the same status as applications that you install yourself.

Disabling ActiveX controls is one option, as described in the previous section. However, if you frequent Microsoft Web sites like MSN or MSNBC, you will be exposed to numerous temptations to turn them back on. (We finally gave in to the excellent portfolio-tracking services at MSN Moneycentral.) We suggest the following compromise: Disable ActiveX controls everywhere but in the Trusted Sites security zone. (Do this from the Security Settings dialog box, following the steps in the previous section.) When you find a Microsoft Web site that offers some wonderful service involving ActiveX controls, move that site into the Trusted Sites security zone.

ActiveX controls are stored in the folder C:\Windows\Downloaded Program Files (if Windows is installed in C:\Windows). If you use Internet Explorer, you should check this file periodically to see what applications Internet Explorer has downloaded. Dispose of an ActiveX control by right-clicking its icon and selecting Remove from the shortcut menu.

PreviousChapterContentsGlossaryNext