Locking Down Internet ExplorerBy Larry Seltzer | Posted 2004-08-26 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
IE's My Computer zone has been an open door to security threats, but now you can padlock it.
The security model for Internet Explorer has been based on security zones. Different Web pages execute in different zones, which have varying levels of privilege. To see this, go to Tools | Internet Options and click on the Security tab. Click on a zone and you can add a site to it if you like or change the security settings.
One of the most important zones is the My Computer security zone, which is actually hidden by default. (To view and modify the settings for this zone, see "How to Enable the My Computer Security Zone in Internet Options".) Web pages on your computer run in the My Computer zone, which is completely trusted. The theory is that pages running on your computer were installedperhaps as part of an applicationand need access to local resources such as files on the system.
The problem is that a large number of cross-zone vulnerabilities, such as the one described at www.securityfocus.com/bid/9628/, have let Web pages on the Internet execute script and other code in the My Computer zone.