Microsoft has announced plans to make several key default changes to Internet Explorer 7s security zones to further harden the browser against attacks. The built-in zones, used in IE to enforce security rules for Web sites by grouping them into categories, will be changed to scrap the use of the “Intranet” zone unless the computer has joined a domain.
According to details posted on Microsofts official IE Web log, Microsoft will also make significant default changes in the Internet zone and Trusted sites zone to provide defense-in-depth planning against some dangerous IE attack vectors.
“The Internet zone, where most users browse, will be tightened down with two very notable changes. The Internet zone will run in Protected Mode on Windows Vista,” company officials said. “ActiveX Opt-In will also help reduce the attack surface of ActiveX controls in the Internet zone.”
With the Trusted sites zone in IE6, Microsofts Vishu Gupta said the company found that many users do not understand how powerful a site becomes when they make it a Trusted site. “For example, a Trusted site in IE6 can automatically install signed ActiveX controls on the users machine. As a safety precaution in IE7, we have set the default for the Trusted sites zone to medium, the same level as the Internet zone in IE6,” Gupta said.