Surfing the Web Securely | Insider Power Techniques for Microsoft Windows XP (Bpg-Other)

When implementing security for Internet Explorer, Microsoft realized that different sites have different security needs. For example, it makes sense to have fairly stringent security for Internet sites, but you can probably scale the security back a bit when browsing pages on your corporate intranet.

To handle these different types of sites, Internet Explorer defines various security zones, and you can customize the security requirements for each zone. The current zone is displayed in the status bar.

To work with these zones, either select Tools, Internet Options in Internet Explorer, or launch Control Panel’s Internet Options icon. In the Internet Options dialog box that appears, select the Security tab, shown in Figure 14-6.

click to expand
Figure 14-6: Use the Security tab to set up security zones and customize the security options for each zone.

Tip

Another way to display the Security tab is to double-click the security zone shown at the right end of the Internet Explorer status bar.

The list at the top of the dialog box shows icons for the four types of zones available:

Internet This zone includes Web sites that aren’t in any of the other three zones. The default security level is Medium.
Local Intranet This zone includes the Web pages on your computer and your network (intranet). The default security level is Medium-low.
Trusted Sites This zone encompasses Web sites that implement secure pages and that you’re sure have safe content. The default security level is Low.
Restricted Sites This zone is the umbrella for Web sites that don’t implement secure pages or that you don’t trust, for whatever reason. The default security level is High.

Adding and Removing Zone Sites

Three of these zones, Local Intranet, Trusted Sites, and Restricted Sites, enable you to add sites. To do this, follow these steps:

Select the zone you want to work with and then click Sites.
If you selected Trusted Sites or Restricted Sites, skip to step 4. Otherwise, if you selected the Local Intranet zone, you see a dialog box with three check boxes:
- Include All Local (Intranet) Sites Not Listed In Other Zones When selected, this option includes all intranet sites in the zone. If you add specific intranet sites to other zones, those sites aren’t included in this zone.
- Include All Sites That Bypass The Proxy Server When this check box is selected, sites that you’ve set up to bypass your proxy server (if you have one) are included in this zone.
- Include All Network Paths (UNCs) When this check box is selected, all network paths that use the Universal Naming Convention (UNC) are included in this zone. (UNC is a standard format used with network addresses. They usually take the form \\server\resource, where server is the name of the network server and resource is the name of a shared network resource.)
To add sites to the Local Intranet zone, click Advanced.

Enter the site’s address in the Add This Web Site To The Zone text box and then click Add.

Note

When entering an address, you can include an asterisk as a wildcard character. For example, the address http://*.microsoft.com adds every microsoft.com domain, including www.microsoft.com, windowsupdate.microsoft.com, support.microsoft.com, and so on.

If you make a mistake and enter the wrong site, select it in the Web Sites list and then click Remove.
Two of these dialog boxes (Local Intranet and Trusted Sites) have a Require Server Verification (https:) For All Sites In This Zone check box. If you select this option, each site you enter must use the secure https protocol.
Click OK.

Changing a Zone’s Security Level

To change the security level for a zone, first select it in the Security tab’s Select A Web Content Zone To Specify Its Security Settings list. Then use the Security Level For This Zone slider to set the level. To set up your own security settings, click Custom Level. This displays the Security Settings dialog box shown in Figure 14-7.

click to expand
Figure 14-7: Use the Security Settings dialog box to set up customized security levels for the selected zone.

The Security Settings dialog box provides you with a long list of possible security issues, and your job is to specify how you want Internet Explorer to handle each issue. You usually have three choices:

Disable Security is turned on. For example, if the issue is whether to run an ActiveX control, the control is not run.
Enable Security is turned off. For example, if the issue is whether to run an ActiveX control, the control is run automatically.
Prompt You’re asked how you want to handle the issue. For example, you decide whether you want to accept or reject an ActiveX control.

Enhancing Online Privacy by Managing Cookies

A cookie is a small text file that’s stored on your computer. It’s used by Web sites to “remember” information about your session at that site: shopping cart data, page customizations, passwords, and so on. No other site can access the cookie, so it’s safe and private under most—but definitely not all—circumstances. To understand why cookies can sometimes compromise your privacy, you need to understand the different cookie types that exist.

Temporary cookie This type of cookie lives just as long as you have Internet Explorer running. When you shut down the program, all the temporary cookies are deleted.
Persistent cookie This type of cookie remains on your hard disk through multiple Internet Explorer sessions. The cookie’s duration depends on how it’s set up, but it can be anything from a few seconds to a few years.
First-party cookie This is a cookie that’s set by the Web site that you’re viewing.
Third-party cookie This is a cookie that’s set by a site other than the one you’re viewing. Most third-party cookies are created and stored by advertisers who have placed an ad on the site you’re viewing.

Given these cookie types, your privacy can be compromised in two ways:

A site might store personally identifiable information—your name, e-mail address, home address, phone number, and so on—in a persistent first- or third-party cookie and then use that information in some way (such as filling in a form) without your consent.
A site might store information about you in a persistent third-party cookie and then use that cookie to track your online movements and activities. It can do this because it might have (for example) an ad on dozens or hundreds of Web sites, and that ad is the mechanism that enables the site to set and read its cookies. Such sites are supposed to come up with privacy policies stating that they won’t engage in surreptitious monitoring of users, they won’t sell user data, and so on.

To help you handle these scenarios, Windows XP implements a privacy feature that gives you extra control over whether sites can store cookies on your machine. To check out this feature, select Internet Explorer’s Tools, Internet Options command, and then select the Privacy tab, shown in Figure 14-8.

click to expand
Figure 14-8: : Use the Privacy tab to configure how Internet Explorer handles cookies.

You set your cookie privacy level by using the slider in the Settings section of the dialog box. First, let’s look at the two extreme settings:

Accept All Cookies This setting (it’s at the bottom of the slider) tells Internet Explorer to accept all requests to set and read cookies.

Block All Cookies This setting (it’s at the top of the slider) tells Internet Explorer to reject all requests to set and read cookies.

Caution

Blocking all cookies may sound like the easiest way to maximize your online privacy. However, numerous sites rely on cookies to operate properly, so if you block all cookies, you may find that your Web surfing isn’t as convenient or as smooth as it used to be.

In between are four settings that offer more detailed control. Table 14-1 shows you how each setting affects the three types of privacy issues.

Table 14-1: Cookie settings and privacy issues
Setting	Third-Party Cookies With No Compact Privacy Policy	Third-Party Cookies Using Personally Identifiable Information Without The Type Of Consent	First-Party Cookies Using Personally Identifiable Information Without The Type Of Consent
Low	Restricted	Restricted (implicit consent)	OK
Medium	Blocked	Blocked (implicit consent)	Restricted (implicit consent)
Medium High	Blocked	Blocked (explicit consent)	Blocked (implicit consent)
High	Blocked	Blocked (explicit consent)	Blocked (explicit consent)

Here are some notes about the terminology in this table:

Restricted means that Internet Explorer doesn’t allow the site to set a persistent cookie, just a temporary one.
A compact privacy policy is a shortened form of a privacy policy that can be sent along with the cookie and that can be read by the browser.
Implicit consent means that on one or more pages leading up to the cookie, you were warned that your personally identifiable information would be used and you agreed that it was okay.

Explicit consent means that on the page that reads the cookie, you were warned that your personally identifiable information would be used and you agreed that it was okay.

Note

If you decide to change the privacy setting, you should first delete all your cookies because the new setting won’t apply to any cookies already on your computer. To delete your cookies, select Tools, Internet Options, select the General tab, and then click Delete Cookies. (If you prefer to delete individual cookies, click Settings, click View Files, and then look for file names that begin with Cookie:.)