The Dynamic Security Protection package in Internet Explorer 7 is a comprehensive suite of safety and security features designed to safeguard the integrity of the computer and your personal information. The components of Dynamic Security Protection can be organized into four key areas:
Protected mode features
Protected mode features, privacy reporting, and phishing filters are discussed in the sections that follow. Parental controls are discussed in Chapter 9, “Protecting User Accounts and Using Parental Controls.”
Unlike earlier versions of Internet Explorer, which have access to the operating system and running applications, Internet Explorer 7 operates in a protected mode, which isolates it from other applications in the operating system and prevents add-ons from writing content in any location beyond temporary Internet files folders without explicit user consent. Isolating Internet Explorer from other applications and restricting write locations prevents many types of malicious software from exploiting the computer. To further protect Windows Vista computers from malicious software, many other safeguards are in place, including:
Domain and URL restrictions
Security zone restrictions
By default, ActiveX controls that can run in Internet Explorer 7 are limited. Preinstalled ActiveX controls are disabled by default to prevent potentially vulnerable controls from being exposed to attack. Internet Explorer also has a special Add-Ons Disabled mode in which all browser extensions and add-ons are disabled (except for critical add-ons that are part of the browser core components). To start Internet Explorer in Add-Ons Disabled mode, click Start, point to All Programs, Accessories, System Tools, and click Internet Explorer (No Add-Ons), or rightclick the Internet Explorer icon on the desktop and select Internet Explorer (No Add-Ons).
Internet Explorer 7 also makes its easier for you to manage installed add-ons by using the Manage Add-Ons dialog box, shown in Figure 4-4. These changes allow you to easily determine which add-ons have been downloaded and installed as well as which add-ons are currently loaded in Internet Explorer. Most downloaded add-ons can be easily disabled and deleted as well.
To view and manage downloaded add-ons, follow these steps:
In Internet Explorer, click Tools, click Manage Add-Ons, and then select Enable Or Disable Add-Ons.
In the Show drop-down list, select Downloaded ActiveX Controls.
Click the downloaded add-on you want to work with.
To disable the add-on, click Disable. The add-on is then prevented from running in Internet Explorer.
To delete the downloaded add-on, click Delete ActiveX. The add-on is then permanently removed from Internet Explorer.
Internet Explorer 7 supports both standard English domain names and internationalized domain names. English domain names are domain names represented using the letters A–Z, the numerals 0–9 and the hyphen. Internationalized domain names are domain names represented using native language characters.
Because Internet Explorer supports internationalized domain names, Microsoft wanted to find a way to help ensure that international characters aren’t used to make a site seem like something it isn’t. This is where international domain name anti-spoofing comes into the picture. International domain name anti-spoofing is designed to protect you against sites that could otherwise appear as known, trustworthy sites. If you visit a site that uses characters that are visually similar to a known trusted site, Internet Explorer displays a warning notification.
Another protection added to Internet Explorer has to do with URL handling. Internet Explorer 7 features a redesigned URL handler, which protects the computer from possible URL parsing exploitations, such as URLs that attempt to run commands or URLs that perform suspect actions.
As Figure 4-5 shows, security levels and zones are core parts of Internet Explorer’s security features. You can display security options for Internet Explorer by clicking Tools, selecting Internet Options, and then clicking the Security tab in the Internet Options dialog box.
By default, Internet Explorer always runs in protected mode. You can enable or disable protected mode by selecting or clearing the Enable Protected Mode check box. The standard levels of security that you can use are:
High This level is appropriate for sites that might contain harmful content. Internet Explorer runs in its highest protected mode with maximum safeguards and in which less secure features are disabled.
Medium-high This level is appropriate for most sites. Internet Explorer prompts you prior to downloading potentially unsafe contents and disabling downloading of unsigned ActiveX controls.
Medium-high is a new security level in Internet Explorer 7, and it is also the default level for the Internet security zone.
Medium This level is appropriate only for trusted sites. In this mode, Internet Explorer prompts you prior to downloading potentially unsafe contents and disables downloading of unsigned ActiveX controls.
Medium-low This level is appropriate only for sites on your internal network. In this mode, Internet Explorer runs most types of content without prompting but does disable downloading of unsigned ActiveX controls.
Low This level is appropriate only for sites you absolutely trust, such as secure internal sites. In this mode, Internet Explorer uses minimal safeguards, and most content is downloaded and run without prompts.
To help you manage when the various security levels should be used, Internet Explorer defines four standard security zones:
Internet This zone is for Internet sites, except those listed in trusted and restricted zones. By default, the Internet zone uses medium-high security.
Local Intranet This zone is for all sites that are on your internal network (intranet). By default, the Local Intranet zone uses medium-low security.
Trusted Sites This zone is for all sites that you have specifically identified as trusted and requiring the lowest level of safeguarding against possible damage. By default, the Trusted Sites zone uses a custom security level that is close to medium security.
Restricted Sites This zone is for all sites that you have identified as restricted and requiring the highest level of safeguarding against possible damage. By default, the Restricted Sites zone uses high security.
You can change the default behavior by setting a new security level for a zone, if permitted. For example, you could increase security for the Internet zone by setting the security level to High. With any security levels except Restricted Sites, you can set a custom security level as well. With a custom security level, you configure individual security settings for content and downloads in any way desired.
Whether cookies were restricted or blocked based on your privacy settings.
Which Web sites have content on the page.
Whether a cookie for an individual site for accepted, restricted, or blocked.
Figure 4-6: A Web privacy report
When you are viewing the Web privacy report, you can click the Settings button to display the Internet Options dialog box with the Privacy tab selected. According to the privacy rules, cookies set by first-party sites are subject to different constraints than cookies set by third-party sites. By default, Internet Explorer uses a Medium privacy level, as shown in Figure 4-7. The Medium privacy level:
Blocks third-party cookies that save information that can be used to contact you without your explicit consent.
Restricts first-party cookies that save information that can be used to contact you without your implicit consent.
Figure 4-7: Viewing and setting the privacy level
In the Internet Options dialog box, you can configure other privacy levels using the options of the Privacy tab, including:
Block All Cookies Blocks all cookies from all Web sites, and blocks reading of existing cookies by Web sites.
Accept All Cookies Saves cookies from any Web site.
Phishing is a technique whereby a site attempts to collect personal information about you without your knowledge or consent. Internet Explorer 7 has a phishing filter that proactively warns you against potential or known fraudulent sites and blocks the site if appropriate. You can manage this feature by clicking Tools, Phishing Filter.
The phishing filter is always on by default. To turn off this feature, you can select Tools, Phishing Filter, Turn Off Automatic Website Checking. You can then manually check sites if desired by using the Check This Website option.
When you browse sites on the Internet, a warning icon is displayed on the status bar to help remind you when you aren’t at a well-known site. The warning icon doesn’t mean that the site has a known problem, rather it means that the site is probably a smaller and less widely known site. Most commercial sites, such as MSN.com and Microsoft.com, are considered well-known sites, and when you visit these sites in Internet Explorer, you won’t see a warning icon.