Configuring Microsoft products for safety, security and privacy
Permitting 'trusted senders' to 'download' richer content - Web sites
Occasionally you will want or need to see a web site
(OR AN E-MAIL - see How to trust an e-mail)
as the sender intended you to view it - images, interactivity etc..
Bear in mind that if you are not
absolutely certain that the sender was fully in control of their PC when
the e-mail was sent you may be exposing yourself to a serious computer
virus that could cost £300-500UKP to fix and a lot
more in terms of lost business, data and many other bad consequences.
To view a Web Site with full graphics/interactivity "etc." and associated risks
By taking our advice you will have disabled certain MS features that
are by far the biggest security holes for the consumer in the MS product line.
The consequence of this change is that highly interactive sites that previously
worked may not function correctly without intervention - they need to
95% of the sites that have problems can be made to function as
intended by promoting them from the "Internet Zone" (level 2) to one higher -
the "Local Intranet" (3) or even the "Trusted" (4) zone.
Two caveats to doing so:
- Only do this if you are absolutely certain that the owner, manager,
developer and service provider of the site are completely reputable, competent
and have not been compromised.
- There are situations where this will not suffice. In particular if a
site needs to have a Plug-In downloaded or even a different version of a
Plug-in before the site will become "alive".
It is our strong recommendation that no Plug-ins other than Acrobat
Reader should be allowed to run and under no circumstances should
you download a Plug-in at the insistence of a site because there
is a reasonable chance that they will direct you to a site that will
look reputable but in fact will download code that will give control
of your PC to ill-intentioned people on the web.
- The other 5% would have failed anyway!, even if you had made no changes.
- We leave level 1 for the Untrusted Zone where you can put sites
that you really do not want to do anything with your PC at all!
Making the Local Intranet Zone a little safer
Even for sites you trust,
you should customise SOME settings to lower the level of threat by making
IE prompt prior to taking an action rather than it be automatic which is
what you get when you tick 'enabled'.
To change the settings you should single click on the symbol
(PC in front of WWW globe) and then click on customise.
The ones that I normally switch to prompt
(if not already the default - as marked with an * below) are:
I would also disable the pop-up blocker for these sites
(two thirds down the page)
and set the User authentication (very bottom) to prompt for user name
Note that there will probably be only 6 out of all of the above that you
need to change from their default for this zone AND you may want to reset
SOME of them to Enable rather than prompt if you get too much irritation from
the prompts because the sites that you place there use technology in a manner
which causes them to create prompts.
Another option is to move the domain yet higher (need to remove them from
this zone first) into the trusted zone (Green circle with white tick inside)
but obviously this is only for the most trusted sites.
To promote a site from the (now restricted!) Internet Zone
You may wish to use the
Microsoft instructions as at Dec'06 or ours as follows...
The instructions below are my attempt at making that easier and
you will see some real examples below.
Note that the 'Trusted Zone' is the very highest level of trust and
normally reserved for the 'must have' sites or sub-sites such as
Windows Update - *.windowsupdate.microsoft.com is one of few examples.
Although the 'Local Zone' takes an extra 2 clicks to add sites it should be
the zone chosen for any TRUSTED site with which you are having problems.
Bear in mind that legitimate sites will often use third-party providers of
I.T. services as part of their own site - either as a subdomain or an explicit
3rd party domain such as 'ad.doubleclick.net' - you need to trust the
competence and integrity of the owners of the prime site that they will not
allow you to be compromised by their suppliers.
Also bear in mind that legitimate sites will have marketing as well as
contractual aspects to their site. Whereas you may trust your Bank to
manage your money you have to ask yourself the question - do I trust the
people in marketing who are responsible for all of the Junk through my letter
box? Trusting the whole of a vast domain should be avoided if possible.
Explorer - upgrading a site to a higher ZONE SETTING
Firstly you should ensure that IE is showing you the zone of web sites
as you visit them, the following should be at the very bottom of your
browser window. The words and images may not be exactly as shown.
Note that this (Status Bar) is very useful for your SECURITY
because it allows you to
see the ACTUAL address of web sites prior to you clicking on any link!
As a slight aside - this status bar is really useful in Outlook Express too,
see How to trust an e-mail
|The ZONE is above - i.e. Internet in this case.
Note that other Zones are
named: Local Intranet, Trusted sites and Restricted sites as shown below
If the above is not shown at the bottom of your (Internet Explorer) browser
then click on 'View' at the top of the browser
(after File and Edit - see image to right)
and ensure that the phrase 'Status Bar' has a tick in front of it.
Left click upon the words 'Status Bar' if there is not one.
You MAY need to exit the browser and launch it again to get the above to display.
The simple approach is to click on the 'Zone' in the right of the status bar
at the bottom of the Internet Explorer Window as shown above.
Left Click on the "Local Intranet Zone" which is symbolised
by a small picture of a Globe with a PC in front of it. Then Click on "Sites".
You should check that all of the prompts that start with the
words "Include all" are DE-selected and then click on "Advanced".
You can then enter the Web Site address that you wish to be promoted
(e.g. www.tony-blair.gov.uk) and then click on "Add".
If there is a prompt "require https" for these sites then de-select it.
One of the reasons for removing the 'Include all' options is on the MS site as
KB303650 Intranet site is identified as an Internet site when you use an
FQDN or an IP address
Adding sites to the "Trusted" zone is simpler in that after single
left-clicking the zone (Green with white tick) then the Sites option
takes you directly to a prompt for site names. You should DE-select the
option that says "insist on https connection to these sites".
If you then click on "OK" three times! you should find that the site will now
have a changed symbol in the status bar at the bottom of MSIE which shows
that the site is being treated as "Local Intranet" rather than "Internet".
En-route to adding specific sites you will always be prompted for some
generic inclusions - unless you know what you are doing you should disable
all of these as anyone who (for instance) managed to encroach on your
Wireless LAN could potentially trick you into running code from a dummy site
which they could have running on a Laptop in a nearby Car Park for criminal
Adding sites is straightforward and IE may offer the site for you to add
without typing... on the whole be specific if the site is very large - e.g.
microsoft.com then only allow subdomains or folder (prefix vs suffix).
* at the front permits all subdomains.
To the left is how you select the Trusted Zone - then click 'Sites'.
Above is an example of adding the whole of the bbc.co.uk site to
your trusted zone.
Demanding secure connection (https:) doesn't tend to work even with banks
as they typically have many (sub-)domains of which only some use https:.
Above and to the right are what MS IE will show in the very bottom right
when you visit sites you have put in the Trusted and Local Zones.
I hope that has been useful. Any Comments, suggestions or corrections
to: Contact us please.
This would be especially useful if the software environment you have is
different to mine and the headings, text or prompts are different.