Internet Explorer Enhanced Security Configuration places your server and Microsoft Internet Explorer in a configuration that decreases the exposure of your server to potential attacks that can occur through Web content and application scripts. As a result, some Web sites may not display or perform as expected.
For more information, see the following:
In Internet Explorer, you can configure security settings for several built-in security zones: the Internet zone, the Local intranet zone, the Trusted sites zone, and the Restricted sites zone. Internet Explorer Enhanced Security Configuration assigns security levels to these zones as follows:
- For the Internet zone, the security level is set to High.
- For the Trusted sites zone, the security level is set to Medium, which allows browsing of many Internet sites.
- For the Local intranet zone, the security level is set to Medium-Low, which allows your user credentials (name and password) to be passed automatically to sites and applications that need them.
- For the Restricted sites zone, the security level is set to High.
- All Internet and intranet sites are assigned to the Internet zone by default. Intranet sites are not part of the Local intranet zone unless you explicitly add them to this zone.
Return to top
The enhanced security configuration increases the level of security on your server, but may also affect Internet browsing in the following ways:
- Because ActiveX controls and scripting are disabled, Internet sites may not display in Internet Explorer as expected and applications that make use of the Internet may not work correctly. If you trust an Internet site and need it to be functional, you can add that site to the Trusted sites zone in Internet Explorer. If you attempt to browse an Internet site that makes use of scripting or Active X controls, Internet Explorer will prompt you to consider adding the site to the Trusted sites zone. You should add the site to the Trusted sites zone only if you are completely confident that the site is trustworthy and that the URL to be added is indeed the correct one. For more information, see Add sites to the Trusted sites zone.
- Access to intranet sites, Web-based applications that run over a local intranet, and other files on network shares may be restricted. If you trust an intranet site or share and need it to be functional, you can add it to the Local intranet zone. For more information, see Add sites to the Local intranet zone.
Return to top
Internet Explorer Enhanced Security Configuration adjusts the security levels for the existing security zones. The following table describes how each zone is affected.
| Internet zone |
High |
This zone has the same security settings as the Restricted sites zone. All Internet and intranet sites are assigned to this zone by default.
Web pages may not display in Internet Explorer as expected and applications that require the browser may not work correctly because scripts, Microsoft ActiveX controls, the Microsoft virtual machine (Microsoft VM) for HTML content, and file downloads have been disabled. If you trust an Internet site and need it to be functional, you can add that site to the Trusted sites zone in Internet Explorer. For more information, see Add sites to the Trusted sites zone.
Access to scripts, executable files, and other files on Universal Naming Convention (UNC) shares is restricted unless the share is added to the Local intranet zone explicitly. For more information, see Add sites to the Local intranet zone.
|
| Local intranet zone |
Medium-Low |
When visiting intranet sites, you may be repeatedly prompted for credentials (your user name and password) as a result of the enhanced security configuration. In the past, Internet Explorer automatically passed your credentials to intranet sites. The enhanced security configuration disables the automatic detection of intranet sites. If you want your credentials to be passed automatically to certain intranet sites, add those sites to the Local intranet zone. For more information, see Add sites to the Local intranet zone.
Do not add Internet sites to the Local intranet zone, because your credentials will be passed automatically to the site if they are requested.
|
| Trusted sites zone |
Medium |
This zone is for the Internet sites whose content you trust. For more information, see Add sites to the Trusted sites zone. |
| Restricted sites zone |
High |
This zone contains sites you don't trust, such as sites that may damage your computer or data if you attempt to download or run files from them. |
The enhanced security configuration also adjusts the Internet Explorer extensibility and security settings to further reduce exposure to possible future security threats. These settings can be found on the Advanced tab of Internet Options in Control Panel. The following table describes the settings that are affected.
| Browsing |
Display enhanced security configuration dialog |
On |
Displays a dialog box to notify you when an Internet site tries to use scripting or ActiveX controls. |
| Browsing |
Enable Browser Extensions |
Off |
Disables features you installed for use with Internet Explorer that may have been created by companies other than Microsoft. |
| Browsing |
Enable Install On Demand (Internet Explorer) |
Off |
Disables installing Internet Explorer components on demand, if needed by a Web page. |
| Browsing |
Enable Install On Demand (Other) |
Off |
Disables installing Web components on demand, if needed by a Web page. |
| Microsoft VM |
JIT compiler for virtual machine enabled (requires restart) |
Off |
Disables the Microsoft VM compiler. |
| Multimedia |
Don't display online content in the media bar |
On |
Disables playback of media content in the Internet Explorer media bar. |
| Multimedia |
Play sounds in Web pages |
Off |
Disables music and other sounds. |
| Multimedia |
Play animations in Web pages |
Off |
Disables animations. |
| Multimedia |
Play videos in Web pages |
Off |
Disables video clips. |
| Security |
Check for server certificate revocation (requires restart |
On |
Automatically checks a Web site's certificate to see whether it has been revoked before accepting it as valid. |
| Security |
Check for signatures on downloaded programs |
On |
Automatically verifies and displays the identity of programs you download. |
| Security |
Do not save encrypted pages to disk |
On |
Disables saving secured information in your Temporary Internet Files folder. |
| Security |
Empty Temporary Internet Files folder when browser is closed |
On |
Automatically clears the Temporary Internet Files folder when you close the browser. |
These changes reduce the functionality in Web pages, Web-based applications, local network resources, and applications that use a browser to display online help, support, and general user assistance.
For more information on using the Local intranet or Trusted sites zones' inclusion lists, see Managing Internet Explorer Enhanced Security Configuration.
When Internet Explorer Enhanced Security Configuration is enabled:
- The Windows Update Web site is added to the Trusted
sites zone. This allows you to continue to get important updates for your operating system.
- The Windows error reporting site is added to Trusted sites zone. This allows you to report problems encountered with your operating system and search for fixes.
- Several local machine sites (for example, http://localhost, https://localhost, hcp://system) are added to the Local intranet zone. This allows applications and code to work locally so that you can complete common administrative tasks.
- The Platform for Privacy Preferences (P3P) level is set to Medium for the Trusted sites zone. If you want to change the P3P level for any zone other than the Internet Zone, go to the Privacy tab of Internet Options in Control Panel and click Import to apply a custom privacy policy. Sample privacy policies can be found at the Microsoft MSDN Library Web site (http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp).
The enhanced security configuration applies to different user accounts according to the type of installation. The following table describes how the users are affected.
| Upgrading the operating system |
Yes |
Yes |
No |
No |
| Unattended installation of the operating system |
Yes |
Yes |
No |
No |
| Manual installation of Terminal Services |
Yes |
Yes |
Yes** |
Yes** |
** During the manual Terminal Services installation, you are prompted to disable Internet Explorer Enhanced Security Configuration for users. This allows users to run a terminal server session without restrictions.
For a better experience when Terminal Services is enabled, you should remove the enhanced security configuration from members of the Users group. These users have fewer privileges on the server, so they present a lower level of risk if they are victims of an attack. For more information about applying the enhanced security configuration, see Apply Internet Explorer Enhanced Security Configuration to specific users.
The following table describes how Internet Explorer Enhanced Security Configuration affects each user's experience with Internet Explorer.
|
| Turn on/off Internet Explorer Enhanced Security Configuration |
Yes |
No |
No |
No |
| Adjust the security level for a particular zone in Internet Explorer |
Yes |
Yes |
No |
No |
| Add sites to the Trusted sites zone |
Yes |
Yes |
Yes |
Yes |
| Add sites to the Local intranet zone |
Yes |
Yes |
Yes |
Yes |
All other Internet Explorer tasks can be completed by all user groups, unless the server administrator chooses to further restrict user access.
Return to top
Internet Explorer Enhanced Security Configuration is designed to reduce your server's exposure to security threats. To ensure that you get the most benefit from the enhanced security configuration, consider these browser management recommendations:
- All Internet and intranet sites are assigned to the Internet zone by default. If you trust an Internet or intranet site and need it to be functional, add the Internet site to the Trusted sites zone and add the intranet site to the Local intranet zone. For more information on the security levels for each zone, see Effects of Internet Explorer Enhanced Security Configuration.
- If you want to run a browser-based client application over the Internet, you should add the Web page that hosts the application to the Trusted sites zone. For more information, see Add sites to the Trusted sites zone.
- If you want to run a browser-based client application over a protected and secure local intranet, you should add the Web page that hosts the application to the Local intranet zone. For more information, see Add sites to the Local intranet zone.
- Add internal sites and local servers to the Local intranet zone to make sure you have access to, and can run, applications from your servers.
- Use unattend.txt to add intranet sites and UNC servers to the Local intranet zone inclusion list as part of the installation process. For more information, see the Readme file in Deploy.cab on the Windows product CD.
- Use client computers to download drivers, service packs, and so on, and avoid any browsing on servers.
- If you use disk imaging to install operating systems on your servers, add the intranet sites and UNC servers you trust to the Local intranet zone and add the Internet sites that you trust to the Trusted sites zone on the base image. You can then change the list for images relative to different server types and needs.
When Internet Explorer Enhanced Security Configuration is enabled on your server, the security settings for all Internet sites are set to High. If you trust a Web page and need it to be functional, you can add that page to the Trusted sites zone in Internet Explorer.
- Navigate to the site that you want to add.
- If you are already viewing the site that you want to add, continue to step 2.
- If you know the URL of the site that you want to add, open Internet Explorer, type the site URL in the Address bar, and then wait for the site to load.
- On the File menu, click Add this site to, and then click Trusted Sites Zone.
- In the Trusted sites dialog box, click Add to move the site to the list, and then click Close.
- Refresh the page to view the site from its new zone.
- Check the Status bar of the browser to confirm that the site is in the Trusted sites zone.
Notes
- If an Internet site tries to use scripting or ActiveX controls, a dialog box is displayed to notify you. You can add the Internet site to the Trusted sites zone directly from this dialog box. If you have disabled this dialog box, you can re-enable the dialog box in Internet Explorer. On the Tools menu, click Internet Options. On the Advanced tab, select Display enhanced security configuration dialog.
- A Web page can be part of only one zone at a time — you cannot add a page to both the Trusted sites zone and the Local intranet zone.
- When you add a Web page to the Trusted sites zone, you are adding the domain for that page. Therefore, all pages within that domain are also added. For example, if you add http://www.microsoft.com/windowsxp/expertzone/ to your Trusted sites zone, you are adding http://www.microsoft.com. If you then want to view the Windows Help and Support site, you will have to add http://support.microsoft.com separately, because the Windows Help and Support site is a separate domain.
- Internet Explorer maintains two different lists of sites for the Trusted Sites zone. One list is in effect when the enhanced security configuration is enabled, and a separate list is in effect when the enhanced security configuration is disabled. When you add a Web page to the Trusted sites zone, you are adding it only to the list that is currently in effect.
- You can use wildcards to add all sub-domains for a given domain. For example, you can add *.microsoft.com to the list, which adds both www.microsoft.com and support.microsoft.com.
- Many Internet sites use more than one domain to host their content. You may have to add several domains to the Trusted sites zone to have full functionality for one site.
- During installation you can add many sites at one time to the Trusted sites zone by using certain settings in unattend.txt. For more information, see the Readme file in Deploy.cab on the Windows product CD. You can also use Group Policy to add and manage multiple sites. For more information, see the Microsoft Windows Server 2003 Deployment Kit.
When Internet Explorer Enhanced Security Configuration is enabled, the security settings for all intranet sites are set to High. As a result, you are prompted for your credentials (your user name and password) each time you visit intranet sites that have not been added to the Local intranet zone. If you routinely use intranet sites, and you know those sites are trustworthy, you can add them to the Local intranet zone in Internet Explorer.
- Navigate to the site that you want to add.
- If you are already viewing the site that you want to add, continue to step 2.
- If you know the URL of the site that you want to add, open Internet Explorer, type the site URL in the Address bar, and then wait for the site to load.
- On the File menu, click Add this site to, and then click Local Intranet Zone.
- In the Local intranet dialog box, click Add to move the site to the list, and then click Close.
- Refresh the page to view the site from its new zone.
- Check the Status bar of the browser to confirm that the site is in the Local intranet zone.
Notes
- Do not add Internet sites to the Local intranet zone, because your credentials are passed automatically to the site if they are requested.
- A Web page can be part of only one zone at a time — you cannot add a page to both the Trusted sites zone and the Local intranet zone.
- The enhanced security configuration also restricts access to scripts, executable files, and other potentially unsafe files on a UNC path unless it is added to the Local Intranet zone explicitly. For example, if you want to access \\server\share\setup.exe, you must add \\server to the Local intranet zone.
- When you add a Web page to the Local intranet zone, you are adding the domain for that page. Therefore, all pages within that domain are also added. For example, if you add http://YourIntranetServer/SubWeb to your Local intranet zone, you are adding http://YourIntranetServer.
- Internet Explorer maintains two different lists of sites for the Local intranet zone. One list is in effect when the enhanced security configuration is enabled, and a separate list is in effect when the enhanced security configuration is disabled. When you add a Web page to the Local intranet zone, you are adding it only to the list that is currently in effect.
- During installation you can add many sites at one time to the Local intranet zone by using certain settings in unattend.txt. For more information, see the Readme file in Deploy.cab on the Windows product CD. You can also use Group Policy to add and manage multiple sites. For more information, see the Microsoft Windows Server 2003 Deployment Kit.
Internet Explorer Enhanced Security Configuration allows you to control the level of Internet Explorer access allowed to certain user groups on your server.
- Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
- Select Internet Explorer Enhanced Security Configuration, and then click Details.
- Select the user group(s) that you want to apply the enhanced security configuration to — Administrators, Users, or both — and then click OK.
- Click Next, and then click Finish.
- Restart Internet Explorer to apply the enhanced security settings.
Notes
- When you apply Internet Explorer Enhanced Security Configuration to the Administrators group, the settings are applied to Administrators and Power Users. When you apply Internet Explorer Enhanced Security Configuration to the Users group, the settings are applied to Limited and Restricted Users.
- For up-to-date information about Internet Explorer security zones, go to the Microsoft MSDN Library Web site (http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp).
If Internet Explorer Enhanced Security Configuration is enabled on your server, you may find it necessary to use the default Internet Explorer security settings of Windows 2000.
- Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
- Select Internet Explorer Enhanced Security Configuration, click the check box to clear the selection, and then click OK.
- Click Next and then click Finish.
- Restart Internet Explorer to apply the changes.
Important
- When you restore Windows 2000 security settings for Internet Explorer, you also restore the lists of Trusted sites and Local intranet sites that were in effect at the time Internet Explorer Enhanced Security Configuration was applied.
- Applying the Windows 2000 default Internet Explorer security settings increases your server's exposure to potential attacks from malicious Web-based content.
If you do not use Internet Explorer Enhanced Security Configuration in your environment, you can easily strengthen Internet Explorer by using Internet Options in Control Panel to manually raise the security settings on your server.
- Open Internet Explorer.
- On the Tools menu, click Internet Options.
- On the Security tab, select the Web content zone you want to adjust: Internet, Local intranet, Trusted sites, or Restricted sites.
- Under Security level for this zone, click Default Level to use the default security level for the zone, or click Custom Level and then select the settings you want.
Notes
- For Restricted sites, click Custom Level, and then click a level in the Reset to list.
- For up-to-date information about Internet Explorer security zones, go to the Microsoft MSDN Library Web site (http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp).
Return to top
Using servers for Internet browsing does not adhere to sound security practices because Internet browsing increases the exposure of your server to potential security attacks. Regardless of the browser you use, you should restrict browsing on your server.
To reduce the risk to your server of potential attacks from malicious Web-based content:
- Do not use servers for browsing general Web content.
- Use client computers to download drivers, service packs, and so on.
- Do not view sites that you cannot confirm are secure.
- Use a limited user account instead of an administrator account for general Web browsing.
- Use Group Policy to keep unauthorized users from making inappropriate changes to browser security settings.
Return to top