Home > Articles > Home & Office Computing > Microsoft Windows Desktop

Managing Security Zones in Windows XP Professional

  • Print
  • + Share This
Using security zones to protect both the systems you are responsible for and their content is critical to keep unwanted visitors from your network, in addition to errant downloads that can contain viruses and compromise the health of your networks internally. Using the options available for configuring each of the four security zones in Windows XP gives you as the administrator flexibility in defining a security strategy for your organization.
Like this article? We recommend

Like this article? We recommend

In Windows XP, security zones are grouped into four categories: Restricted Sites, Trusted Sites, Local Intranet, and Internet. In addition to these categories, there are additional parameters you can set across zones. Provided following is a matrix comparing the 21 different parameters and their status by security zone. First, however, the specific security zones are defined:

  • Restricted Sites—Controls user access to Web content on sites that could potentially damage a computer or its data. Default security for this zone is High.

  • Trusted Sites—Controls user access to Web content on sites that are explicitly trusted and considered to be free of content that could damage the computer and its data. The default security level is a slightly modified version of Low, which allows downloading of unsigned ActiveX controls and sets Java permissions to Medium security.

  • Local Intranet—Controls user access to Web content on the local network, which can include local (intranet) sites; sites bypassed by the proxy server; and all network paths, such as Universal Naming Conventions (UNCs). Default security level is Medium-Low.

  • Internet—Controls user access to Web content on all sites not placed in other zones. The default security level is Medium.

The following table describes the security parameters for each security level:

Security Parameters

High

Medium

Medium-Low

Low

Download Signed ActiveX Controls

Disable

Prompt

Prompt

Enable

Download Unsigned ActiveX Controls

Disable

Disable

Disable

Prompt

Initialize and Script ActiveX Controls Not Marked as Safe

Disable

Disable

Disable

Prompt

Run ActiveX Controls and Plug-Ins

Disable

Enable

Enable

Enable

File Download

Disable

Enable

Enable

Enable

Font Download

Prompt

Enable

Enable

Enable

Access Data Sources Across Domains

Disable

Disable

Prompt

Enable

Allow Meta Refresh

Disable

Enable

Enable

Enable

Display Mixed Content

Prompt

Prompt

Prompt

Prompt

Don't Prompt for Client Certificate

Disable

Disable

Enable

Enable

Drag and Drop or Copy and Paste Files

Prompt

Enable

Enable

Enable

Installation of Desktop Items

Disable

Prompt

Prompt

Enable

Launching Programs or files in an IFRAME

Disable

Prompt

Prompt

Enable

Navigate Subframes Across Different Domains

Disable

Enable

Enable

Enable

Software Channel Permissions

High Safety

Medium Safety

Medium Safety

Low Safety

Submit Non-Encrypted Form Data

Prompt

Prompt

Enable

Enable

Userdata Persistence

Disable

Enable

Enable

Enable

Active Scripting

Disable

Enable

Enable

Enable

Allow Paste Operations

Disable

Enable

Enable

Enable

Allow Paste Operations via Script

Disable

Enable

Enable

Enable

Scripting of Java Applets

Disable

Enable

Enable

Enable


One of the most common security risks associated with the factors shown in the table is the enabling of ActiveX controls, plug-ins, Java applets, scripts, and downloads. If you're a system administrator, be sure to get a policy together and training to define the specific features you want to have tailored on ActiveX across company browsers. The fact that JavaScript has the potential to be a security breach for your system needs to be controlled through disabling the Scripting of Java Applets option.

Introducing Logon: the Lost Parameter

There's another parameter that isn't typically captured as part of the tables that define the variables associated with security zones. It's the Logon parameter, and it determines if user name and password information is sent automatically to content servers that request it. Any content server outside of a company can request this data, thereby getting access to user name and password information.

Due to the ease with which other servers, even outside of your company, can get user name and password information using this command, nothing but High security needs to be set. If Logon is set to Medium/High, then Logon is shared with intranet servers and those sites that have bypassed your proxy servers. With Logon security set to Low, any server from the intranet and Internet both can receive user name and password information. Be sure to set this option to High to make sure your systems are completely secure from inadvertently sending user name and password information either over the intranet in your organization or out to content servers on the Internet.

  • + Share This
  • 🔖 Save To Your Account