Microsoft KB Archive/815141

= Internet Explorer Enhanced Security Configuration changes the browsing experience =

Article ID: 815141

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



SUMMARY
By default, Internet Explorer Enhanced Security Configuration is enabled on Windows Server 2003. When you start Microsoft Internet Explorer, you receive the following message:

Microsoft Internet Explorer's Enhanced Security Configuration is currently enabled on your server. This enhanced level of security reduces the risk of attack from Web-based content that is not secure, but it may also prevent Web sites from displaying correctly and restrict access to network resources.

Internet Explorer Enhanced Security Configuration established a configuration for your server and for Microsoft Internet Explorer that decreases the exposure of your server to potential attacks that can occur through Web content and application scripts. As a result, some Web sites may not display or perform as expected.

This article describes the effects of Internet Explorer Enhanced Security Configuration in Windows Server 2003.



MORE INFORMATION
Internet Explorer Enhanced Security Configuration establishes security settings that define how users browse Internet and intranet Web sites. These settings also reduce the exposure of your server to Web sites that might present a security risk.

This enhanced level of security can prevent Web sites from displaying correctly in Internet Explorer and can restrict access to network resources, such as files on Universal Naming Convention (UNC) shared folders. If you want to view a Web site that requires Internet Explorer functionality that has been disabled, you can add the Web site to the inclusion lists in the Local intranet or Trusted sites zones.

Internet Explorer security zones
In Internet Explorer, you can configure security settings for several built-in security zones: the Internet zone, the Local intranet zone, the Trusted sites zone, and the Restricted sites zone. Internet Explorer Enhanced Security Configuration assigns security levels to these zones as follows:
 * For the Internet zone, the security level is set to High.
 * For the Trusted sites zone, the security level is set to Medium. This permits browsing of many Internet sites.
 * For the Local intranet zone, the security level is set to Medium-Low. This allows your user credentials (name and password) to be passed automatically to sites and applications that need them.
 * For the Restricted sites zone, the security level is set to High.
 * By default, all Internet and intranet sites are assigned to the Internet zone. Intranet sites are not part of the Local intranet zone unless you explicitly add them to this zone.

How to browse when Internet Explorer Enhanced Security Configuration is enabled
The Internet Explorer Enhanced Security Configuration increases the level of security on your server. However, it may also affect Internet browsing in the following ways:  Because ActiveX Controls and scripting are disabled, Internet sites may not display in Internet Explorer as you expect, and applications that use the Internet may not work correctly. If you trust an Internet site and need it to be fully functional, you can add that site to the Trusted sites zone in Internet Explorer.

If you try to view an Internet site that uses scripting or ActiveX Controls, you receive the following message:

Content from the Web site listed below is being blocked by the Internet Explorer Enhanced Security Configuration.

If you trust this Web site, you can lower security settings for the site by adding it to the Trusted sites zone. If you know this Web site is on your local intranet, review help for instructions on adding the site to the local intranet zone instead.

Microsoft recommends that you only add a site to the Trusted sites zone if you are completely confident that the site is trustworthy and that the URL is the correct one.

Note Adding a Web site to the Trusted sites zone will lower the security settings for all content from the Web site for all applications, including Internet Explorer.

For more information about how to add a Web site to the Trusted sites zone, see the &quot;Add Sites to the Trusted Sites Zone&quot; section of this article. Access to intranet sites, Web-based applications that run over a local intranet, and other files on shared network resources may be restricted. If you trust an intranet site or shared folder and need it to be functional, you can add it to the Local intranet zone.

For more information about how to do this, see the &quot;Add Sites to the Local Intranet Zone&quot; section of this article.

Effects of Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration adjusts the security levels for the existing security zones. The following table describes how each zone is affected:

Internet Explorer Enhanced Security Configuration also adjusts the Internet Explorer extensibility and security settings to reduce exposure to possible future security threats. These settings are on the Advanced tab of Internet Options in Control Panel. The following table describes the settings:

These changes reduce the functionality in Web pages, Web-based applications, local network resources, and applications that use a browser to display online help, support, and general user assistance.

For more information about using the Local intranet or Trusted sites zones' inclusion lists, see the &quot;Managing Internet Explorer Enhanced Security Configuration&quot; section of this article.

When Internet Explorer Enhanced Security Configuration is enabled, the following additional settings are configured:  The Windows Update Web site is added to the Trusted sites zone. This allows you to continue to receive important updates for your operating system. The Windows error reporting site is added to the Trusted sites zone. This allows you to report problems encountered with your operating system and search for fixes. Several local computer sites (for example, http://localhost, https://localhost, and hcp://system) are added to the Local intranet zone. This allows applications and code to work locally so that you can complete common administrative tasks. The Platform for Privacy Preferences (P3P) level is set to Medium for the Trusted sites zone. If you want to change the P3P level for any zone other than the Internet Zone, click the Privacy tab of Internet Options in Control Panel, and then click Import to apply a custom privacy policy. For additional sample privacy policies, visit the following Microsoft MSDN Library Web site:

http://msdn2.microsoft.com/en-us/library/ms537344.aspx

</li></ul>

Internet Explorer Enhanced Security Configuration and Terminal Services
The enhanced security configuration applies to different user accounts according to the type of installation. The following table describes how the users are affected:


 * During the manual Terminal Services installation, you are prompted to disable Internet Explorer Enhanced Security Configuration for users. This allows users to run a Terminal Services session without restrictions.

For a better experience when Terminal Services is enabled, it is a good idea to remove the enhanced security configuration from members of the Users group. These users have fewer permissions on the server, so they present a lower level of risk if they are victims of an attack. For more information about applying the enhanced security configuration, see the &quot;Apply Internet Explorer Enhanced Security Configuration to Specific Users&quot; section of this article.

Effects of Internet Explorer Enhanced Security Configuration on the Internet Explorer user experience
The following table describes how Internet Explorer Enhanced Security Configuration affects each user's experience with Internet Explorer:

All other Internet Explorer tasks can be completed by all user groups, unless the server administrator additionally restricts user access.

Managing Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration is designed to reduce your server's exposure to security threats. To make sure that you receive the most benefit from the enhanced security configuration, consider these browser management recommendations:
 * By default, all Internet and intranet sites are assigned to the Internet zone. If you trust an Internet or intranet site and need it to be functional, add the Internet site to the Trusted sites zone, or if it is an intranet site, add the intranet site to the Local intranet zone. For more information about the security levels for each zone, see the &quot;Effects of Internet Explorer Enhanced Security Configuration&quot; section of this article.
 * If you want to run a browser-based client application over the Internet, it is best to add the Web page that hosts the application to the Trusted sites zone. For more information about how to do this, see the &quot;Add Sites to the Trusted Sites Zone&quot; section of this article.
 * If you want to run a browser-based client application over a protected and secure local intranet, it is best to add the Web page that hosts the application to the Local intranet zone. For more information about how to do this, see the &quot;Add Sites to the Local intranet Zone&quot; section of this article.
 * Add internal sites and local servers to the Local intranet zone to make sure you have access to applications and can run these applications from your servers.
 * Use Unattend.txt to add intranet sites and UNC servers to the Local intranet zone inclusion list as part of the installation process. For more information about how to do this, see the Readme file in Deploy.cab on the Windows product CD.
 * Use client computers to download files such as drivers and service packs, and avoid browsing on servers.
 * If you use disk imaging to install operating systems on your servers, add the intranet sites and UNC servers you trust to the Local intranet zone and add the Internet sites that you trust to the Trusted sites zone on the base image. You can then change the list for images relative to different server types and requirements.

Add sites to the Trusted Sites zone
When Internet Explorer Enhanced Security Configuration is enabled on your server, the security settings for all Internet sites are set to High. If you trust a Web page and need it to be functional, you can add that page to the Trusted sites zone in Internet Explorer.

To do this, follow these steps:
 * 1) Visit the site that you want to add.
 * 2) * If you are already viewing the site that you want to add, go to step 2.
 * 3) * If you know the URL of the site that you want to add, start Internet Explorer, type the site URL in the Address bar, and then wait for the site to load.
 * 4) On the File menu, click Add this site to, and then click Trusted Sites Zone.
 * 5) In the Trusted sites dialog box, click Add to move the site to the list, and then click Close.
 * 6) Refresh the page to view the site from its new zone.
 * 7) Check the status bar of the browser to confirm that the site is in the Trusted sites zone.

Notes
 * If an Internet site tries to use scripting or ActiveX Controls, a dialog box appears to notify you. You can add the Internet site to the Trusted sites zone directly from this dialog box. If you have disabled this dialog box, you can re-enable the dialog box in Internet Explorer: On the Tools menu, click Internet Options. On the Advanced tab, select Display enhanced security configuration dialog.
 * A Web page can be part of only one zone at a time. You cannot add a page to both the Trusted sites zone and the Local intranet zone.
 * When you add a Web page to the Trusted sites zone, you are adding the domain for that page. Therefore, all pages in that domain are also added. For example, if you add http://www.microsoft.com/windowsxp/expertzone/ to your Trusted sites zone, you are adding http://www.microsoft.com. If you then want to view the Windows Help and Support site, you must add http://support.microsoft.com separately, because the Windows Help and Support site is a separate domain.
 * Internet Explorer maintains two different lists of sites for the Trusted Sites zone. One list is in effect when the enhanced security configuration is enabled, and a separate list is in effect when the enhanced security configuration is disabled. When you add a Web page to the Trusted sites zone, you are adding it only to the list that is currently in effect.
 * You can use wildcard characters to add all subdomains for a particular domain. For example, you can add *.microsoft.com to the list. This adds both www.microsoft.com and support.microsoft.com.
 * Many Internet sites use more than one domain to host their content. You may have to add several domains to the Trusted sites zone to have full functionality for one site.
 * During installation, you can add many sites at the same time to the Trusted sites zone by using certain settings in Unattend.txt. For more information about how to do this, see the Readme file in Deploy.cab on the Windows product CD. You can also use Group Policy to add and manage multiple sites. For more information about how to do this, see the Microsoft Windows Server 2003 Deployment Kit.

Add sites to the Local Intranet zone
When Internet Explorer Enhanced Security Configuration is enabled, the security settings for all intranet sites are set to High. Therefore, you are prompted for your credentials (your user name and password) each time you visit intranet sites that have not been added to the Local intranet zone. If you regularly use intranet sites and you know those sites are trustworthy, you can add them to the Local intranet zone in Internet Explorer. To do this, follow these steps:
 * 1) Visit the site that you want to add.
 * 2) * If you are already viewing the site that you want to add, go to step 2.
 * 3) * If you know the URL of the site that you want to add, start Internet Explorer, type the site URL in the Address bar, and then wait for the site to load.
 * 4) On the File menu, click Add this site to, and then click Local Intranet Zone.
 * 5) In the Local intranet dialog box, click Add to move the site to the list, and then click Close.
 * 6) Refresh the page to view the site from its new zone.
 * 7) Check the status bar of the browser to confirm that the site is in the Local intranet zone.

Notes
 * Do not add Internet sites to the Local intranet zone, because your credentials are passed automatically to the site if they are requested.
 * A Web page can be part of only one zone at a time. You cannot add a page to both the Trusted sites zone and the Local intranet zone.
 * The enhanced security configuration also restricts access to scripts, executable files, and other potentially unsafe files on a UNC path unless the UNC path is added to the Local Intranet zone explicitly. For example, if you want to access \\ \share\setup.exe, you must add \\ to the Local intranet zone.
 * When you add a Web page to the Local intranet zone, you are adding the domain for that page. Therefore, all pages in that domain are also added. For example, if you add http:// to your Local intranet zone, you are adding http://.
 * Internet Explorer maintains two different lists of sites for the Local intranet zone. One list is in effect when the enhanced security configuration is enabled, and a separate list is in effect when the enhanced security configuration is disabled. When you add a Web page to the Local intranet zone, you are adding it only to the list that is currently in effect.
 * During installation, you can add many sites at the same time to the Local intranet zone by using certain settings in Unattend.txt. For more information about how to do this, see the Readme file in Deploy.cab on the Windows product CD. You can also use Group Policy to add and manage multiple sites. For more information, see the Microsoft Windows Server 2003 Deployment Kit.

Apply Internet Explorer Enhanced Security Configuration to specific users
Internet Explorer Enhanced Security Configuration allows you to control the level of Internet Explorer access allowed to certain user groups on your server.

To do this, follow these steps:
 * 1) Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
 * 2) Select Internet Explorer Enhanced Security Configuration, and then click Details.
 * 3) Click to select the check box for the users or groups that you want to apply the enhanced security configuration to: For administrator groups, For all other groups, or both, and then click OK.
 * 4) Click Next, and then click Finish.
 * 5) Restart Internet Explorer to apply the enhanced security settings.

Notes  When you apply Internet Explorer Enhanced Security Configuration to the Administrators group, the settings are applied to administrators and power users. When you apply Internet Explorer Enhanced Security Configuration to the Users group, the settings are applied to limited and restricted users.</li> For up-to-date information about Internet Explorer security zones, visit the following Microsoft MSDN Library Web site:

http://msdn2.microsoft.com/en-us/library/ms537186.aspx

</li></ul>

Apply Windows 2000 default Internet Explorer security settings
If Internet Explorer Enhanced Security Configuration is enabled on your server, you may decide to use the default Internet Explorer security settings used by Windows 2000.

To do this, follow these steps:
 * 1) Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
 * 2) Select Internet Explorer Enhanced Security Configuration, click to clear the selection, and then click OK.
 * 3) Click Next, and then click Finish.
 * 4) Restart Internet Explorer to apply the changes.

Important
 * When you use the Windows 2000 security settings for Internet Explorer, you restore the lists of Trusted sites and Local intranet sites that were in effect at the time Internet Explorer Enhanced Security Configuration was applied.
 * Applying the Windows 2000 default Internet Explorer security settings increases your server's exposure to potential attacks from malicious Web-based content.

Strengthen Internet Explorer security settings manually on your server
If you do not use Internet Explorer Enhanced Security Configuration in your environment, you can easily strengthen Internet Explorer by using Internet Options in Control Panel to manually raise the security settings on your server.

To do this, follow these steps:
 * 1) Start Internet Explorer, and then on the Tools menu, click Internet Options.
 * 2) On the Security tab, select the Web content zone that you want to adjust: Internet, Local intranet, Trusted sites, or Restricted sites.
 * 3) Under Security level for this zone, click Default Level to use the default security level for the zone, or click Custom Level, and then select the settings you want.

Notes  For Restricted sites, click Custom Level, and then click a level in the Reset to list.</li> For up-to-date information about Internet Explorer security zones, visit the following Microsoft MSDN Library Web site:

http://msdn2.microsoft.com/en-us/library/ms537186.aspx

</li></ul>

Browser Security best practices
Using servers for Internet browsing is not sound security practice because Internet browsing increases the exposure of your server to potential security attacks. Regardless of the browser you use, it is a good idea to restrict browsing on your server. To reduce the risk to your server of potential attacks from malicious Web-based content:
 * Do not use servers for browsing general Web content.
 * Use client computers to download files such as drivers and service packs.
 * Do not view sites that you cannot confirm are secure.
 * Use a limited user account instead of an administrator account for general Web browsing.
 * Use Group Policy to keep unauthorized users from making inappropriate changes to browser security settings.

For more information about managing Internet Explorer Enhanced Security Configuration so that users and administrators can access trusted resources and Web sites on a corporate intranet and on the Internet, visit the following Microsoft Web site to download the &quot;Managing Internet Explorer Enhanced Security Configuration&quot; white paper:

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

<div class="references_section">