Friday, January 20, 2006

Changes to Security Zones in MS Internet Explorer Version 7

There was a post in December describing how zones will work in the new version, along with some discussion of how the current version handles them.
Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)

It has recieved extensive comments, not all of which I have read yet. One theme among them is that the zones are not effective, so why bother. But they seem useful to me and the most disappointing thing that I notice is that they apparently have not added any new zone between ran Internet and Trusted. That is what I want, and have created on my machines.

Some excerpts:

The My Computer Zone is locked down as of IE6 for XP SP2; the changes in IE7 continue our trend to run the browser with more secure default settings.

Because security zones allows more power to some websites, zones also open the possibility of zone-spoofing attacks: if there is a flaw in IE’s zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn’t happen.


0 Comments:

Post a Comment

<< Home