Be sure to read Brien's guide on importing a restricted site list and deploying it to IE through Group Policy.
Coming up with the optimal Internet Explorer security settings is tricky business. On one hand, you want to set security tightly enough that your network won't become infected with spyware should your users accidentally stumble upon a malicious Web site. On the other hand, the more that you tighten security, the better the chances that some Web sites will not display properly. Unfortunately, Microsoft has not published any documents (that I could find) related to optimal Internet Explorer security settings. Therefore, the settings that I am going to show you are my own recommendations and may not be appropriate for all organizations.
In my opinion, one of the biggest keys to establishing optimal Internet Explorer settings is to make effective use of Internet Explorer zones. As I'm sure you are aware, Internet Explorer offers four security zones; Internet, Local Intranet, Trusted Sites, and Restricted Sites. Internet Explorer allows you to set separate security levels for each zone and to specify the sites that fall into each zone.
Local Intranet zone
By default, the Local Internet zone has some rather loose permissions set. If your company has a local Intranet set up, then I recommend adding it's URL to the Local Intranet zone. After doing so, you can adjust this zone so that permissions that are not specifically required by your local Intranet are not given. In doing so, you are reducing the attack surface should someone slip an unauthorized site into this zone.
If your company does not have a local intranet, then I recommend setting the security for the Local Intranet zone to the highest possible level. Again, this is to reduce Internet Explorer's attack surface in case someone manages to add an unauthorized site to the list.
Trusted Sites zone
The Trusted Sites zone is a zone intended for Web sites that you trust implicitly. If you are going to make use of the Trusted Sites zone, then you can leave the zone's security settings wide open. Otherwise, you should set the zone's security settings to the highest possible level to reduce the attack surface.
The other thing that I want to mention about the Trusted Sites zone is that you should only add sites to the zone if you trust them implicitly. This is a strong statement, because there aren't many sites that you should trust implicitly. My personal philosophy is that you should only include sites that are under your direct control to the Trusted Sites zone.
Restricted Sites zone
The Restricted Sites zone if for sites that you do not trust. A lot of people think that if a site is listed in the Restricted Sites list, that Internet Explorer won't allow users to visit that site. This isn't the case though. The Restricted Sites zone won't stop users from visiting the sites in the zone, it merely provides a way for you to flag sites that you consider to be malicious.
Obviously, you should set the security levels for the Restricted Sites zone to the point that absolutely nothing can run. The real trick though is figuring out which Web sites to add to the zone. After all, you certainly don't want to go around visiting questionable Web sites to find out if they are malicious or not.I like to use a utility called Spyware Blaster. Spyware Blaster maintains a huge list of Web sites that are known to be malicious and can automatically import that list into Internet Explorer's Restricted Sites zone. You can then import this information into a group policy and use it to protect all of the computers on your network.
The only remaining zone on the list is the Internet zone. Any site that does not fall into the zones that I have already discussed becomes a part of the Internet zone by default. Microsoft sets the Internet zone to a security level of Medium so that most Web sites will display correctly, without being able to do too much damage. Of course we've all seen PCs become infected by spyware just by visiting a malicious site, so the medium security level doesn't really offer as much protection as it should. You can tweak the security level to meet your needs, but at a minimum, I recommend disabling anything related to Active X. Few legitimate Web sites use Active X any more, but Active X is a favorite tool for spyware authors. If you are concerned about functionality, you could always try disabling it on a trial basis.
As you can see, the optimal Internet Explorer security settings are really going to vary from one organization to the next. In this article, I have discussed some issues to consider in relation to Internet Explorer zones, but in the end, you will have to do what works for your own individual network.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in March 2006