Microsoft KB Archive/174360

= How to use security zones in Internet Explorer =

Article ID: 174360

Article Last Modified on 12/18/2007

-

APPLIES TO

 Microsoft Internet Explorer 5.5 Service Pack 1 Microsoft Internet Explorer 5.5 Service Pack 2 Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.0 Microsoft Internet Explorer 4.01 Service Pack 1 Microsoft Internet Explorer 4.01 Service Pack 2 Microsoft Internet Explorer 4.0 128-Bit Edition</li> Microsoft Internet Explorer 5.5 Service Pack 1</li> Microsoft Internet Explorer 5.5 Service Pack 2</li> Microsoft Internet Explorer 5.5 Service Pack 1</li> Microsoft Internet Explorer 5.5 Service Pack 2</li> Microsoft Internet Explorer 5.01</li> Microsoft Internet Explorer 5.01</li> Microsoft Internet Explorer 5.5 Service Pack 1</li> Microsoft Internet Explorer 5.5 Service Pack 2</li> Microsoft Internet Explorer 5.01</li> Microsoft Internet Explorer 5.01</li> Microsoft Internet Explorer 5.0</li> Microsoft Internet Explorer 4.01 Service Pack 2</li> Microsoft Internet Explorer 5.5</li> Microsoft Internet Explorer 5.5</li> Microsoft Internet Explorer 5.01</li> Microsoft Internet Explorer 5.01</li> <li>Microsoft Internet Explorer 5.0</li> <li>Microsoft Internet Explorer 4.01 Service Pack 1</li> <li>Microsoft Internet Explorer 4.01 Service Pack 2</li> <li>Microsoft Internet Explorer 4.0 128-Bit Edition</li> <li>Microsoft Internet Explorer 5.5 Service Pack 1</li> <li>Microsoft Internet Explorer 5.5 Service Pack 2</li> <li>Microsoft Internet Explorer 5.01</li> <li>Microsoft Internet Explorer 5.01</li> <li>Microsoft Internet Explorer 6.0, when used with: <ul> <li>Microsoft Windows XP Home Edition</li></ul>

<ul> <li>Microsoft Windows XP Professional</li></ul>

<ul> <li>Microsoft Windows XP Media Center Edition 2002</li></ul>

<ul> <li>Microsoft Windows XP Tablet PC Edition</li></ul>

<ul> <li>Microsoft Windows 2000 Advanced Server</li></ul>

<ul> <li>Microsoft Windows 2000 Datacenter Server</li></ul>

<ul> <li>Microsoft Windows 2000 Professional Edition</li></ul>

<ul> <li>Microsoft Windows 2000 Server</li></ul>

<ul> <li>Microsoft Windows NT Server 4.0 Standard Edition</li></ul>

<ul> <li>Microsoft Windows NT Server 4.0, Terminal Server Edition</li></ul>

<ul> <li>Microsoft Windows NT Workstation 4.0 Developer Edition</li></ul>

<ul> <li>Microsoft Windows Millennium Edition</li></ul>

<ul> <li>Microsoft Windows 98 Standard Edition</li></ul>

<ul> <li>Microsoft Windows 98 Second Edition</li></ul> </li></ul>

-

<div class="notice_section">

This article was previously published under Q174360

<div class="notice_section">

Notice
This article is intended for home users. If you are not comfortable with this information, you might want to ask someone for help or contact support. For information about how to contact support, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/

<div class="summary_section">

SUMMARY
The article describes the types of security zones in Microsoft Internet Explorer, and how to configure different levels of security for Web sites that you visit.

<div class="moreinformation_section">

MORE INFORMATION
Internet Explorer includes five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer.

You can configure the My Computer zone (which contains files on your local computer) only from the Microsoft Internet Explorer Administration Kit (IEAK); these settings are not available in the browser interface. Administrators should use the default settings for this zone unless your organization has a specific requirement. Reduced security settings can result in security risk, whereas increased security settings can reduce functionality.

You can set the security options that you want for each zone, and then add or remove Web sites from the zones, depending on your level of trust in a Web site.

Internet Zone
This zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone. The default security level is Medium.

Local Intranet Zone
By default, the Local Intranet zone contains all network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), as long as they are not assigned to either the Restricted Sites or Trusted Sites zone. The default security level for the Local Intranet zone is set to Medium (Internet Explorer 4) or Medium-low (Internet Explorer 5 and 6). Be aware that when you access a local area network (LAN) or an intranet share, or an intranet Web site by using an Internet Protocol (IP) address or by using a fully qualified domain name (FQDN), the share or Web site is identified as being in the Internet zone instead of in the Local intranet zone. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

303650 Intranet site is identified as an Internet site when you use an FQDN or an IP address

Trusted Sites Zone
This zone contains Web sites that you trust as safe (such as Web sites that are on your organization's intranet or that come from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or that you run from the Web site will not damage your computer or data. By default, there are no Web sites that are assigned to the Trusted Sites zone, and the security level is set to Low.

Restricted Sites Zone
This zone contains Web sites that you do not trust. When you add a Web site to the Restricted Sites zone, you believe that files that you download or run from the Web site may damage your computer or your data. By default, there are no Web sites that are assigned to the Restricted Sites zone, and the security level is set to High.

The Restricted Sites zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone. The default security level is Medium.

Note Security settings are applied only to files on your computer that are in the Temporary Internet Files folder. These settings use the security level of the Web site from which the files came. All other files are assumed to be safe.

How to Configure Security Zones
To change the default security level for a zone, customize security options in a zone, or assign a Web site to a specific zone. To do this, follow the steps in one of the following sections.

How to Change the Default Security Level for a Zone
For each security zone in Internet Explorer 4.x, you can select the High, Medium, Low, or Custom security level setting. In Internet Explorer 5 and 6, you can select the High, Medium, Medium-low, Low, or Custom Level security setting.

To change the default security level for a zone:
 * 1) In Internet Explorer 4.x, click Internet Options on the View menu. In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
 * 2) In Internet Explorer 4.x, on the Security tab, click the zone for which you want to change security levels in the Zone box.

In Internet Explorer 5 and 6, on the Security tab, click the zone to which you want to assign a Web site under Select a Web content zone to specify its security settings.
 * 1) Click the security level that you want to use for the zone, and then click OK.

How to Customize Security Settings in a Zone
The Custom option gives advanced users and administrators more control over all security options. For example, the Download Unsigned ActiveX Controls option is disabled by default in the Local Intranet zone (Medium security is the default setting for the Local Intranet zone). In this case, Internet Explorer may not run any ActiveX controls in your organization's intranet because most organizations do not sign ActiveX controls that are only used internally. For Internet Explorer to run unsigned ActiveX controls in your organization's intranet, change the security level for the Download Unsigned ActiveX Controls option to Prompt or Enable for the Local intranet zone. You an set the following security options by using the Custom setting:
 * Access to files, ActiveX controls, and scripts
 * The level of capabilities given to Java programs
 * If sites must be identified with Secure Sockets Layer (SSL) authentication
 * Password protection by using Windows NT Challenge/Response (NTLM). Depending on which zone a server is in, Internet Explorer can send your password automatically, prompt you for your user name and password, or deny any logon requests

To customize security options in a zone:
 * 1) In Internet Explorer 4.x, click Internet Options on the View menu.

In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
 * 1) In Internet Explorer 4.x, on the Security tab, click the zone that you want to customize in the Zone box.

In Internet Explorer 5 and 6, on the Security tab, click the zone to which you want to assign a Web site under Select a Web content zone to specify its security settings.
 * 1) Click Custom (For Expert Users), and then click Settings.

In Internet Explorer 5 and 6, click Custom Level.
 * 1) Under Reset Custom Settings, click the security level for the whole zone in the Reset To box, and then click Reset.
 * 2) Under the section for which you want to customize security settings, click the option that you want, click OK, and then click OK again.

To assign a Web site to a specific security zone: <ol> <li>In Internet Explorer 4.x, click Internet Options on the View menu.

In Internet Explorer 5 and 6, click Internet Options on the Tools menu.</li> <li>In Internet Explorer 4.x, on the Security tab, click the zone to which you want to assign a Web site in the Zone box, and then click Add Sites.

In Internet Explorer 5 and 6, on the Security tab, click the zone to which you want to assign a Web site under Select a Web content zone to specify its security settings, and then click Sites.

If you add a Web site to the Local Intranet zone, you can select the types of Web sites that you want to include in the zone, and then click Advanced to add specific sites. The following rules apply to the Local Intranet zone options. Be aware that adding a site to any zone takes precedence over the following rules: <ul> <li>Include all local (intranet) sites that are not listed in other zones: Intranet sites have names that do not include periods (for example, http://local). A site name such as http://www.microsoft.com is not local because it contains periods. This site is assigned to the Internet zone. The intranet site name rule applies to both "file:" and "http:" addresses. Be aware that top-level Internet domains may be accessed by using a name that does not contain periods. If you can gain access to generic (.com, .org, .net, .edu, .gov, .mil, or .int) or country code domains (.us, .jp, .uk, and so on), clear this option to prevent these sites from using Local Intranet security settings. For more information about top-level domains, visit the following Internet Corporation For Assigned Names and Numbers (ICANN) Web site:

http://www.icann.org/tlds

</li> <li>Include all sites that bypass the proxy server: Typical intranet configurations use a proxy server to gain access to the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for zones. If the proxy server is configured differently, clear this option and use other options to designate files that are assigned to the Local Intranet zone. On computers that do not have a proxy server, this setting has no effect.</li> <li>Include all network paths (UNCs): Network paths (for example, \\local\file.txt) are typically used for local network content that should be included in the Local Intranet zone. If there are network paths that should not be in the Local Intranet zone, clear this option and use other options to designate files that are assigned to the Local Intranet zone. For example, in certain Common Internet File System (CIFS) configurations, a network path can reference Internet content.</li></ul> </li> <li>Type a Web address in the Add this Web site to the zone box, and then click Add.</li> <li>Click OK, and then click OK again.</li></ol>

When you add sites to the Local Intranet or Trusted Sites zones, you can require that server verification be used if you click to select the Require server verification (https:) for all sites in this zone check box.

Note You cannot assign a Web site to the Internet zone. The Internet zone contains all Web sites that are not on your computer or in the local intranet zone, or that are not already assigned to another zone.

For more information about how to resolve symptoms that are not resolved by the previous steps, click the following article number to view the article in the Microsoft Knowledge Base:

319585 "Software update incomplete" error message when you visit the Windows Update Web site

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

<div class="references_section">