Internet Browser Security
Downloadable objects accessible from the Internet open a gaping hole in network security because nontrusted components can be downloaded right through a firewall. The user must be educated, and browsers must be configured to match your network's tolerance for active components and Java applets.
Any browser user may configure how his browser handles untrusted and trusted components. Microsoft Internet Explorer v5.0 configures these options through the Tools, Internet Options menu selection. Select the Security tab, and press the Custom Level button for the Internet zone. For the purpose of providing an example, we will examine both Java and ActiveX permissions.
Restricting Java Components
Internet Explorer v5.0 provides several ways to handle Java applets. (Because Microsoft has eliminated native Java support in IE v6.0, this issue may be less important.) Unsigned applets are without digital signatures to trusted certificate authorities. Thus, the user can disable, enable, or run the applet within the Java sandbox. If the sandbox is chosen, the user can individually configure all access rights to either the Enable or Disable setting. Signed applets with digital signatures from trusted authorities may choose the Enable, Disable, or Prompt option. If the Prompt option is selected, the user must configure each access right to prompt, enable, or disable. The Prompt option will dialog the user whenever the access right is required for the applet in question.
Find the Java permissions, and select Custom. Then press the Java Custom Settings button. Again, browser permissions should be set at the same relative levels as those of the local server.
Restricting ActiveX Components
The ActiveX attributes require a Prompt, Enable, or Disable value for each security setting. ActiveX controls do not have the option of running within the sandbox, and they have full control over the Win32 API. Therefore, you do not want users to run unsigned ActiveX controls. Period.
Find the ActiveX permissions, and select Custom. Then press the ActiveX Custom Settings button. Again, browser permissions should be set at the same relative levels as those of the local server.
The browser settings just discussed can be automatically assigned to users through a GPO. They are set from the Default Domain snap-in under User Configuration, Windows Settings, Internet Explorer Maintenance, Security, Security Zones and Content Ratings.