Jump to content

How to Lock Down Internet Explorer

+ 4
  adfm's Photo
Posted Jun 15 2010 03:29 PM

You never know when you're going to fall victim to something malicious on the Internet. If you're using Internet Explorer as your main browser, it's a good idea to lock down those services that are most at risk. This excerpt from David A. Karp's Windows 7 Annoyances lets you know what you'll need to do in order to lock down Internet Explorer.


Over the years, Microsoft has fixed hundreds of security holes in Internet Explorer, and if you’ve been using the Windows Update feature regularly, you already have the benefit of all their sweat and tears sitting on your hard disk. But the larger issue is IE’s underlying design—and its cozy connection with the underlying operating system—that has caused so much trouble all these years.

The premise is that a web page can contain code that instructs Internet Explorer to install software on your PC. In the early days, web designers used this capability sparingly, mostly to install widgets and small helper programs to add trivial features to their pages. But it didn’t take long for unscrupulous hackers and greedy corporate executives to learn how to exploit Internet Explorer’s open-door nature, which is why we now have spyware, adware, browser hijackers, rootkits, and other nasty surprises.

Microsoft finally addressed many of Internet Explorer’s unfortunate shortcomings in IE8, which comes with Windows 7, and not a moment too soon. But just because IE now looks for signed code and has a list of malicious websites at its disposal, doesn’t mean it can’t still be a conduit for malicious software. Thanks to the strategy tax explained in the preface, you have two choices: hobble Internet Explorer by turning off the most dangerous features, use a different browser, or both.


Warning: If you’re using Mozilla Firefox, discussed later, avoid the Microsoft .NET Framework Assistant (ClickOnce) add-on like the plague. It adds to Firefox the same core vulnerability of Internet Explorer, namely the ability for websites to easily and quietly install software on your PC, and is installed surreptitiously with several Windows updates. Since this design flaw is one of the reasons you may’ve originally switched to Firefox in the first place, you’d be wise to remove it. If you find the Uninstall button grayed out in Firefox, see http://www.annoyance...w/article08-600 for removal instructions.

If you want to stick with Internet Explorer for now, open the Internet Options window in Control Panel (or from the Tools drop-down in IE, select Internet Options). Choose the Security tab, and turn on the Enable Protected Mode option if it’s not already enabled. Then select the Internet “zone” icon at the top (the globe), and then click Custom Level below to open the Security Settings dialog box shown in Figure 7-36.

Figure 7-36. Use the Security Settings window to turn off some of the more dangerous Internet Explorer features

Attached Image


Next, go down the list, and set the options as follows. (Note that your list may differ slightly as the result of recent updates from Microsoft.)

OptionSet to...
.NET Framework 
Loose XAMLDisable
XAML browser applicationsDisable (!)
XPS documentsDisable
.NET Framework-reliant components 
Permissions for components with manifestsDisable (!)
Run components not signed with AuthenticodeDisable (!)
Run components signed with AuthenticodeDisable
ActiveX controls and plug-ins 
Allow previously unused ActiveX controls to run without promptDisable (!)
Allow ScriptletsDisable
Automatic prompting for ActiveX controlsDisable
Binary and script behaviorsAdministrator approved
Display video and animation on a web page that does not use external media playerDisable
Download signed ActiveX controlsDisable (!)
Download unsigned ActiveX controlsDisable (!)
Initialize and script ActiveX controls not marked as safe for scriptingDisable (!)
Only allow approved domains to use ActiveX without promptEnable
Run ActiveX controls and plug-insAdministrator approved
Script ActiveX controls marked safe for scriptingDisable
Downloads 
Automatic prompting for file downloadsDisable
File downloadEnable
Font downloadPrompt or Disable
Enable .NET Framework setupDisable
Miscellaneous 
Access data sources across domainsDisable
Allow META REFRESHEnable
Allow scripting of Internet Explorer Web browser controlDisable
Allow script-initiated windows without size or position constraintsDisable
Allow web pages to use restricted protocols for active contentDisable
Allow websites to open windows without address or status barsDisable
Display mixed contentPrompt
Don’t prompt for client certificate selection…Disable
Drag-and-drop or copy and paste filesEnable
Include local directory path when uploading files to a serverDisable (!)
Installation of desktop itemsDisable (!)
Launching applications and unsafe filesDisable (!)
Launching programs and files in an IFRAMEDisable (!)
Navigate subframes across different domainsPrompt
Open files based on content, not file extensionEnable
Submit non-encrypted form dataEnable
Use Pop-up BlockerEnable (!)
Use SmartScreen FilterEnable (!)
Userdata persistenceEnable
Websites in less privileged web content zone can navigate…Enable
Scripting 
Active ScriptingPrompt
Allow Programmatic clipboard accessDisable (!)
Allow status bar updates via scriptDisable (!)
Allow websites to prompt for information using scripted windowsDisable
Enable XSS filterEnable
Scripting of Java appletsEnable
User Authentication 
LogonAnonymous logon

Click OK when you’re done changing security settings.


Warning: Setting the Launching applications and unsafe files option may have consequences even if you use Mozilla Firefox to download files. If Firefox tells you that a “download has been blocked by your Security Zone Policy,” try changing this option to Prompt instead of Disable.

Next, click the Trusted sites (green checkmark) icon, click the Sites button, and turn off the Require server verification (https:) for all sites in this zone option. Type the following URLs into the Add this Web site to the zone field, clicking the Add button after each one:

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://*.windowsupdate.microsoft.com

These four URLs permit the Windows Update feature to continue working unencumbered by your new security settings. The asterisks are wildcards allowing these rules to apply to variants, such as http://download.windowsupdate.com. Feel free to add the domains for other websites you trust, and then click OK when you’re done.

Windows 7 Annoyances

Learn more about this topic from Windows 7 Annoyances.

Windows 7 may be faster and more stable than Windows Vista, but that's a far cry from problem-free. With Windows 7 Annoyances, you'll learn how to deal with a wide range of nagging problems before they deal with you. Annoyances.org founder David Karp offers you the tools to fix all sorts of Windows 7 issues, along with solutions, hacks, and timesaving tips to make the most of your PC.

See what you'll learn


0 Replies