Windows ConfidentialThe Intranet Can Be a Scary Place
Raymond Chen
If you’ve installed Windows Server™ 2003, you’ve probably discovered that Microsoft® Internet Explorer® doesn’t behave quite the same as it used to. You get prompted for your domain password more often, script doesn’t run, downloading from Web Folders is blocked—it’s just not fun.
All of this is a result of a Windows Server 2003 feature, called Internet Explorer Enhanced Security Configuration, that cranks the security settings for Windows® Explorer and Internet Explorer through the roof. Think of it as Internet Explorer with a tinfoil hat. This feature also goes by the nickname Internet Explorer Hardening. It’s specific to the server edition of Windows because companies who shell out thousands of dollars for a server-class machine typically don’t want their employees surfing Fark.com on the company’s central payroll database server!
The payroll database server should be browsing only to Web sites that have to do with managing the payroll database. The extra paranoia is also a safety precaution: shutting down noncritical Web browser functionality significantly reduces the surface area for attack. You definitely don’t want somebody attacking your payroll server.
One of the more significant changes when Hardening is enabled is that the intranet is considered just as unsafe as the Internet. Web sites on the intranet are placed in the Internet zone. Why is that? Because the intranet is also a scary place.
The term intranet is not as well-defined as it should be. If you’re in a college dorm, is everybody in your building on your intranet? Think about it. Why should you trust a student two floors down more than you trust a computer in another country? Many—perhaps even most—cable modem providers are set up so that everybody in your neighborhood is on the same LAN. Why should that sleazy-looking guy receive an elevated degree of trust just because his computer is physically located in your neighborhood?
Even if you restrict yourself to the corporate world, the intranet is still a scary place. Any random employee on your intranet can plug in and start hosting Web pages that are not trustworthy. Server administrators are justifiably paranoid and don’t want to take the chance that a rogue intranet Web site can cause their server grief.
If there is an intranet site that you do trust, you can add it to your intranet sites list explicitly. Don’t add it to your trusted sites list, however, because trusted sites can do more than mere intranet sites. For example, trusted sites in Internet Explorer 6.0 can install signed ActiveX® controls automatically.
Internet Explorer Hardening extends beyond Internet Explorer. Explorer and the shell also use zones to determine which operations should be blocked or prompted. If you have a logon script that runs scripts from a network location, that network location needs to be listed in your intranet sites list. Otherwise, the ShellExecute function will display a warning that the program you’re about to run is from an untrusted source. Alternatively, you can prefix the script location with the script engine you want to use. For example, if you have a logon script that runs the script \\atl-dc01\public\monitor.vbs, you can either add \\atl-dc01 to your trusted sites list, or you can change the line in the script to wscript \\atl-dc01\public\monitor.vbs, running the wscript script engine explicitly. (If you prefer it to be run as a console script, then use cscript instead of wscript.)
If you turn off Internet Explorer Hardening or if you are running Windows XP, nothing has changed. Automatic intranet detection remains enabled so as not to affect the behavior of Web sites that a corporation may use for its day-to-day business. But if you are on a home computer, you should probably disable automatic intranet detection since there is no real intranet in your universe. You can do this from the Security tab of the Internet Options menu. Click the Local intranet icon, then Sites, then deselect all three checkboxes. Indeed, even if your computer is part of a corporate network, you probably should disable automatic intranet detection anyway unless you find the compatibility impact too high and managing the explicit list of intranet sites too unwieldy.
Internet Explorer 7.0 will implement some of these recommendations automatically. When a computer is not joined to a domain, automatic intranet detection will be disabled, thereby protecting the home user from that creepy guy down the street. You can read more about the changes to the intranet zone in Internet Explorer 7.0 on the Internet Explorer team blog.
As a final note, I would like to thank Tony Chor, Group Program Manager for the Internet Explorer team, for his assistance in writing this column.
Raymond Chen’s Web site, blogs.msdn.com/oldnewthing, deals with Windows history and Win32 programming. Sometimes he makes up new Winter Olympic sports.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.