Security → Re: Firefox 3 honors Windows Security Zones...

We noticed it. But from a different angle.

What you say:
"I can't run my browser in this [potentially] unsafe environment because it will adopt that environment's settings.

What an IT admin might say:
"I don't want you to run your browser on my machine without adopting the environment's settings because your browser's settings may be unsafe. More importantly, your USB drive might be infected, blah blah..."

It's all about perspective, I suppose.

BUT ... does it matter anyway (from your perspective)? Let's see:

- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone).

- I don't really know how FF 3.0 would behave as a portable application. It may "know", even without modification, it's not installed on the host and therefore does not change its behavior to match the host machine's policy.

Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy.

To make this most effective, I still say that there should be a Master On / Off option. As it stands now, simply setting:

browser.download.manager.scanWhenDone false

is problematic:

- it turns off AV scanning, which is expected
- it impacts FF zone policy functionality, which is unexpected and even perhaps baffling unless you know that they share common APIs
- it impacts FF zone functionality, but only partially, e.g., it prevents ADS from being embedded in files, but it still honors the blocking of downloads from URLs in Zone 4 (at least per my testing).

Maybe there is already another option somewhere that does what I suggest, but I am unaware of it.

I agree. Then it comes to browsers's developers attitude (or their perspective). They may say - IT admin is right, and therefore has all the rights, including an IT admin wishes - "I want to know all your browsing history - past, present and future (saved links and autocompltetes)", "I need to know all your passwords that in case you forgot it I'll help you...", etc.

It's done in IE (and that's the reason why I'm looking for a substitute). If it's FF future policy as well, then well... It's good for a corporate environment, but certainly not for a private user.Do you really mean Trusted zone (or zone #2)? Do they save ADS with ZoneID=2 line?Now, that's finally the right direction to move . I mean to make FF portable. But then forget about zone configuration which is saved in registry.

That is most important of all. So far, I'm still okay with FF, even with the new features (or regressions, again, depending on perspective). I've worked around things I don't like and embraced the things I do like.

I have no control over developers' direction and intentions for future versions of FF. There are some things I see currently as potentially troubling indications of the direction things are heading, but I'll react when appropriate (perhaps, as you say, by switching browsers).Well, by least restrictive in this context, I could have meant any of the zones that have no impact on, or relevance to, file downloads or attachments. So, looking at the table of zones:

Value    Setting
   ------------------------------
   0        My Computer
   1        Local Intranet Zone
   2        Trusted sites Zone
   3        Internet Zone
   4        Restricted Sites Zone
 

I could have been referring to anything below Zone 3.

And as far as I can tell, Zone 3 is the only identifier tagged onto files per policy as it is the only one that may require further action (e.g., prompting upon execution) once it is downloaded (see tangential note below).»portableapps.com/
»www.u3.com/

Note:

Minor points of interest:

- you can turn your list of Trusted Sites into Restricted Sites by setting "Launching applications and unsafe files" to "Disable" under the Trusted Sites tab

- you can turn your list of Restricted Sites into Trusted Sites by setting "Launching applications and unsafe files" to "Enable" under the Restricted Sites tab (this will get you a warning that "Your Security Settings Put Your Computer At Risk").