Broadband Tech > Security > Security > Zoning Out!

Zoning Out!

• Tools|Internet Options|Security|Internet|Custom Level|Micorsoft VM|Java Permissions
  
• Tools|Internet Options|Security|Internet|Custom Level|Scripting| Scripting of Java applets
  
• Tools|Internet Options|Advanced|Microsoft VM|Java console enabled
  
• Tools|Internet Options|Advanced|Microsoft VM|Java logging enabled
  
• JIT compiler for virtual machine enabled

Wrong link.
Opps
[text was edited by author 2001-05-23 17:41:16]

reply to R2
I'm on the brink of disabling even more. Popups are so unbelievably annoying. I would not only not buy anything that pops up behind my browser, whether I want it or not, I go out of my way to avoid the SOB who bought the ad forever after.

Now, to the point at hand:

Internet Zone: No active X, basic java support (soon to go the way of the dodo), and temporary cookies only.

Trusted zone: essentially, the "standard" configuration MS defaults for internet zone. However, no "user data persistence," NO PLACE; no automatic log ins; no iframes, desktop changes, auto updates, or install on demand, anywhere, either, and java/x/channels are always at "high safety."

Restricted zone: Nuthin'. Be glad I let your html through .

Finally, I have an "extra" zone, called "tracking zone". This is a registry tweak available with Xsetup (http://www.xteq.com), that doesn't even acknowledge the "features" to deny them. It's about as restrictive as you can possibly get, kills popups like magic, stops most tracking efforts dead, and gets applied to any "overly cutesy" sites I stumble over...

Very important to me, in "advanced settings" (everywhere):

Disable:
Folder view for FTP
Auto check for updates
Install on demand
Profile assistant

That's a VERY brief rundown of my own approach to zones. I'm sure some others will have their own pet settings, as we all do, but I think this is a good start... my java settings may be a little risky for non-NT/2k systems, by the way... I set them slightly looser than normal, simply because I have my permissions set such that NT returns a "security exception - access denied" error every time I check it on a test script that digs for information about you via java... my 95 machine, though, obliges them readily, so be aware... remember, MS java isn't "real" java, so the security features of Sun Java 2 aren't necessarily there... I really do need to disable that... jeez... MS Mock Java isn't something I trust worth a... oh, well... thanks for the thought! Good securing to you...
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill

reply to R2

reply to R2
Thanks for the answers. Gwion, I think I am leaning the direction you have taken. I like the idea of the 'extra' zone the ActiveX gives you, however, I am not sure how that will really differ from a fully Disabled Restricted Sites. I would have preferred that they give you the option to set up the new zone however you want to. That way you could have a Trusted "A" list and and "B" list, for example.

Interestingly, it seems like Steve Gibson has done the same type of thing here. Also, from that page check out this link. On that second page, spin down a few screens and check out his Restricted Sites list. You can download a .reg file to copy those into your system!:)

It seems like this tool may be EXACTLY what I want! Check that out if you want MORE control over your Zone settings. I have not used it yet, but it looks promising.

JoeyT, thanks for the link and the info. How about those first two entries -- Java Permissions and Scripting of Java applets?? Do I need them both blocked and why are there TWO of them?

Lastly, won't ANYONE else tell me the differences between their Internet Zone and Restricted Sites settings??:(

reply to R2
OK, this is what I can find about the first two entries: (from Ozark's Internet Exlorer Security Options)

Java Permissions :

Microsoft VM lets you set the security levels to control any Java applets your users encounter on Web sites in each zone.

CUSTOM- Although you can specify a custom level, I don’t recommend using Custom Level for Java permissions in most cases because Java security is very granular; you really need to be a Java programmer to understand Java permissions.

HIGH- When you choose the High safety level, you put fairly tight restrictions on Web pages that include Java applets. Using this level of protection prevents Java applets from accessing your computer’s files, registry, or printers, or displaying windows outside the IE window without first warning the user. Also, the applets won't be able to run other applications, but can initiate network connections back to the Web server.

MEDIUM- The main difference between the Medium safety and High safety levels is that in the Medium safety level, the user must give permission to Java applets to access files on the local computer.

LOW- In the Low safety level, Java applets can do almost anything on the local computer, including accessing files, starting applications, accessing the computer's registry, using printers, and contacting computers other than the Web server—even contacting computers on your internal network.

I recommend using High safety for most users for any site on the Internet zone. You’ll probably use Low safety for your Local intranet zone to support any highly functional intranet sites that use Java.
______________________________________

Scripting of Java applets:

The third scripting feature, Scripting of Java applets, controls whether client-side scripts can use objects in Java applets. Because Java scripts and applets work together closely, I recommend enabling this option if you enable Active scripting.
______________________________________

I am still not 100% sure why the first one does not control the second one...

Also, I supect in the Restricted Zone, you all are setting this to Disabled -- CORRECT??

reply to R2
ok heres part of mine
installed all security patches TO DATE
local = everything one java highest safety no activex
internet = deny all
restricted = deny all
no trusted sites
installed sun java 2
added 4 rules in CS to deny all traffic to and from iexploder when dialup present
added block all under app monitoring in pc viper for IE
patched Nutscrape use it as primary browser
if the site is really questionable or my gut starts getting off i use the text browser in genius2 to check it out

could you pass the marshmellows i can feel the flames rising
--
....common sense isn't too common anymore....

reply to R2

said by R2:

---

OK, this is what I can find about the first two entries: (from Ozark's Internet Exlorer Security Options)

Java Permissions :

Microsoft VM lets you set the security levels to control any Java applets your users encounter on Web sites in each zone.

CUSTOM- Although you can specify a custom level, I don’t recommend using Custom Level for Java permissions in most cases because Java security is very granular; you really need to be a Java programmer to understand Java permissions.

HIGH- When you choose the High safety level, you put fairly tight restrictions on Web pages that include Java applets. Using this level of protection prevents Java applets from accessing your computer’s files, registry, or printers, or displaying windows outside the IE window without first warning the user. Also, the applets won't be able to run other applications, but can initiate network connections back to the Web server.

MEDIUM- The main difference between the Medium safety and High safety levels is that in the Medium safety level, the user must give permission to Java applets to access files on the local computer.

LOW- In the Low safety level, Java applets can do almost anything on the local computer, including accessing files, starting applications, accessing the computer's registry, using printers, and contacting computers other than the Web server—even contacting computers on your internal network.

I recommend using High safety for most users for any site on the Internet zone. You’ll probably use Low safety for your Local intranet zone to support any highly functional intranet sites that use Java.
______________________________________

Scripting of Java applets:

The third scripting feature, Scripting of Java applets, controls whether client-side scripts can use objects in Java applets. Because Java scripts and applets work together closely, I recommend enabling this option if you enable Active scripting.
______________________________________

I am still not 100% sure why the first one does not control the second one...

Also, I supect in the Restricted Zone, you all are setting this to Disabled -- CORRECT??

---

disabled everything in the restricted zone. Does that help?
--
JKK

Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!

How does that compare to how you have set up the Internet Zone?

OK, I have figured out how to create your OWN Zones. This is the registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]

At baseline there are FIVE Zones there 0 through 4. In order, they are My Computer, Local Intranet, Trusted Sites, Internet, and Restricted Sites. You can alter the name that is displayed under Tools|Internet Options by changing the, eh, "Display Name". You can also change what the description of each zone is by changing the, eh, "Description" entry. It is REALLY that easy! If you felt so inclined, you can also specify a different icon my modifying, yes, the "Icon" entry.

Then come the "Levels" entries (CurrentLevel, MinLevel, etc.). These seem control the HIGH, MED, LOW settings. I think 00000000 must be the "Custom" choice. It seems each Zone has a set minimum security level it can reach. I have not yet deciphered these. Also, the "Flags" have no clear meaning to me yet either...

The majority of the entries -- all of those numbers -- 1001, 1004, 1200, etc. -- MUST be the specific "custom" settings for each level. This would include Java permissions, Scripting, etc. No, I have not yet gone through and translated those -- yet!

NOW, the point is -- YOU CAN CREATE A SIXTH OR A SEVENTH ZONE!!

If you want to create a new zone somewhere in between Trusted Sites and Internet -- you CAN. Just export the "Trusted Sites" key -- that would be "2" -- to your Desktop. Change the key's name to "5". Change the "Display Name" to "Intermediate". Write a descriptive line about this Zone in the "Description". If you know how to figure out the Icon stuff, change the Icon -- this usually requires an icon program. I am not sure what to do with the flags. Leave it at 43 or change it to 3 -- I am just not sure yet... Leave all the other settings for now.

Merge this back into your registry -- and voila! A new zone to play with!

[text was edited by author 2001-05-26 00:57:14]

reply to R2

Prompt Zone.zip 74,734 bytes (Prompt Zone.reg)

More options...

Hi:

I suspect that IE is simply not picking up the Registry changes and using them -- they're in the Registry, just not being used. After merging your .REG file, have you checked the Registry to make sure the changes took? If they are there, then IE has simply not been prompted to use the changes.

I've seen this behavior with other programs. Unless you make a change through the program's interface, the changes in the Registry will not be recognized and used until you stop and restart the program in question.

Just a thought,

Eric L. Howes

reply to R2

Re: Zoning Out!

reply to R2

Re: More options...

reply to eburger68

Re: Zoning Out!

reply to bangaroo

Re: More options...

reply to R2

Re: Zoning Out!

reply to R2

Re: More options...

I think there are good arguments for Disabling EVERYTHING in Restricted sites and making sure your Outlook and/or Outlook Express is in this site. I also think adding Eric's list (Spy-Ad) to the Restricted sites is very smart.

So, you should keep Restricted VERY restricted. Then, make Internet slightly less. I like Trusted to be REALLY trusted, and then Prompt is a good intermediate. I think this is logical.

The other option is to use "Local Intranet" as your most enabled zone. However, I would like to reserve this for when I truly have a home Intranet...
[text was edited by author 2001-05-26 11:33:43]

reply to R2

Re: Zoning Out!