internet privacy, internet safety, internet security, computer virus information and help.

How to Use Security Zones in Internet Explorer (Q174360)

The information in this article applies to:

Microsoft Internet Explorer version 6 for Windows XP

Microsoft Internet Explorer version 6 for Windows 2000

Microsoft Internet Explorer versions 5.01 , 5.01 Service Pack 1 , 5.01 Service Pack 2 , 5.5 , 5.5 Service Pack 1 , 5.5 Service Pack 2 , for Windows 2000

Microsoft Internet Explorer version 6 for Windows NT 4.0

Microsoft Internet Explorer versions 4.0 , 4.01 , 4.01 Service Pack 1 , 4.01 Service Pack 2 , 5 , 5.01 , 5.01 Service Pack 1 , 5.01 Service Pack 2 , 5.5 , 5.5 Service Pack 1 , 5.5 Service Pack 2 , for Windows NT 4.0

Microsoft Internet Explorer version 6 for Windows Millennium Edition

Microsoft Internet Explorer versions 5.5 , 5.5 Service Pack 1 , 5.5 Service Pack 2 , for Windows Millennium Edition

Microsoft Internet Explorer version 6 for Windows 98 Second Edition

Microsoft Internet Explorer versions 5.01 , 5.01 Service Pack 1 , 5.01 Service Pack 2 , 5.5 , 5.5 Service Pack 1 , 5.5 Service Pack 2 , for Windows 98 Second Edition

Microsoft Internet Explorer version 6 for Windows 98

Microsoft Internet Explorer versions 4.01 Service Pack 2 , 5 , 5.01 , 5.01 Service Pack 1 , 5.01 Service Pack 2 , 5.5 , 5.5 Service Pack 1 , 5.5 Service Pack 2 , for Windows 98

Microsoft Internet Explorer versions 4.0 , 4.01 , 4.01 Service Pack 1 , 4.01 Service Pack 2 , 5 , 5.01 , 5.01 Service Pack 1 , 5.01 Service Pack 2 , 5.5 , 5.5 Service Pack 1 , 5.5 Service Pack 2 , for Windows 95

SUMMARY

The article describes the types of security zones in Internet Explorer, and how to configure different levels of security for Web sites that you visit.

MORE INFORMATION

Internet Explorer includes five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer.

You can configure the My Computer zone (which contains files on your local computer) only from the Microsoft Internet Explorer Administration Kit (IEAK); these settings are not available in the browser interface. Administrators should use the default settings for this zone unless your organization has a specific requirement. Lower security settings can result in security risk, whereas higher security settings can impair functionality.

You can set the security options that you want for each zone, and then add or remove Web sites from the zones, depending on your level of trust in a Web site.

Types of Security Zones

Local Intranet Zone

By default, the Local Intranet zone contains all of the network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), provided they are not assigned to either the Restricted Sites or Trusted Sites zone. The default security level for the Local Intranet zone is set to Medium (Internet Explorer 4) or Medium-low (Internet Explorer 5 and 6). Note that when you access a local area network (LAN) or intranet share, or intranet Web site by using an Internet Protocol (IP) address or a fully qualified domain name (FQDN), the share or Web site is identified as being in the Internet zone instead of the Local intranet zone. For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:

Q303650 Intranet Site Identified as Internet When You Use FQDN or IP

Trusted Sites Zone

This zone contains Web sites that you trust as safe (such as Web sites that are on your organization's intranet or from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or run from the Web site will not damage your computer or data. By default, there are no Web sites assigned to the Trusted Sites zone, and the security level is set to Low.

Restricted Sites Zone

This zone contains Web sites that you do not trust. When you add a Web site to the Restricted Sites zone, you believe that files you download or run from the Web site may damage your computer or data. By default, there are no Web sites assigned to the Restricted Sites zone, and the security level is set to High.

The Restricted Sites zone contains Web sites that are not on your computer or local intranet, or that are not already assigned to another zone. The default security level is Medium.

NOTE : Security settings are applied only to files on your computer that are in the Temporary Internet Files folder (using the security level of the Web site from which the files came). All other files are assumed to be safe.

Internet Zone

This zone contains all Web sites that are not included in any other zones.

How to Configure Security Zones

To change the default security level for a zone, customize security options in a zone, or assign a Web site to a specific zone. To do this, use the steps in one of the following sections.

How to Change the Default Security Level for a Zone

For each security zone in Internet Explorer 4.x, you can choose the High, Medium, Low, or Custom security level setting. In Internet Explorer 5 and 6, you can choose the High, Medium, Medium-low, Low, or Custom Level security setting.

To change the default security level for a zone:

In Internet Explorer 4.x, click Internet Options on the View menu. In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
On the Security tab, click the zone for which you want to change security levels in the Zone box.
Click the security level that you want to use for the zone, and then click OK .

Although it is recommended that the High security setting for Web sites that are not in the Trusted Sites zone, you can safely use the Medium security setting in the Trusted Sites zone.

How to Customize Security Settings in a Zone

The Custom option gives advanced users and administrators more control over all security options. For example, the Download Unsigned ActiveX Controls option is disabled by default in the Local Intranet zone (Medium security is the default setting for the Local Intranet zone). In this case, Internet Explorer may not run any ActiveX controls in your organization's intranet because most organizations do not sign ActiveX controls that are only used internally. For Internet Explorer to run unsigned ActiveX controls in your organization's intranet, change the security level for the Download Unsigned ActiveX Controls option to Prompt or Enable for the Local intranet zone. You an set the following security options by using the Custom setting:

Access to files, ActiveX controls, and scripts
The level of capabilities given to Java programs
If sites must be identified with Secure Sockets Layer (SSL) authentication
Password protection by using Windows NT Challenge/Response (NTLM). Depending on which zone a server is in, Internet Explorer can send your password automatically, prompt you for your user name and password, or deny any logon requests

To customize security options in a zone:

In Internet Explorer 4.x, click Internet Options on the View menu.

In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
On the Security tab, click the zone that you want to customize in the Zone box.
Click Custom (For Expert Users) , and then click Settings .

In Internet Explorer 5 and 6, click Custom Level .
Under Reset Custom Settings , click the security level for the entire zone in the Reset To box, and then click Reset .
Under the section for which you want to customize security settings, click the option that you want, click OK , and then click OK again.

To assign a Web site to a specific security zone:

In Internet Explorer 4.x, click Internet Options on the View menu.

In Internet Explorer 5 and 6, click Internet Options on the Tools menu.
On the Security tab, click the zone to which you want to assign a Web site in the Zone box, and then click Add Sites .

If you add a Web site to the Local Intranet zone, you can select the types of Web sites that you want to include in the zone, and then click Advanced to add specific sites. The following rules apply to the Local Intranet zone options. Note that adding a site to any zone takes precedence over the following rules:
- Include all local (intranet) sites that are not listed in other zones: Intranet sites have names that do not include periods (for example, http://local). A site name such as http://www.microsoft.com is not local because it contains periods. This site is assigned to the Internet zone. The intranet site name rule applies to both "file:" and "http:" addresses. Note that top-level Internet domains may be accessible by using a name that does not contain periods. If you can gain access to generic (.com, .org, .net, .edu, .gov, .mil, or .int) or country code domains (.us, .jp, .uk, and so on), clear this option to prevent these sites from using Local Intranet security settings. For additional information about top-level domains, view the following Web site:
  
  http://www.iana.org/top-level-domains.html
- Include all sites that bypass the proxy server: Typical intranet configurations use a proxy server to gain access to the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for purposes of zones. If the proxy server is configured differently, clear this option and use other options to designate files that are assigned to the Local Intranet zone. On computers that do not have a proxy server, this setting has no effect.
- Include all network paths (UNCs): Network paths (for example, \\local\file.txt) are typically used for local network content that should be included in the Local Intranet zone. If there are network paths that should not be in the Local Intranet zone, clear this option and use other options to designate files that are assigned to the Local Intranet zone. For example, in certain Common Internet File System (CIFS) configurations, it is possible for a network path to reference Internet content.
Type a Web address in the Add this Web site to the zone box, and then click Add .
Click OK , and then click OK again.

When you add sites to the Local Intranet or Trusted Sites zones, you can require that server verification be used if you click to select the Require server verification (https:) for all sites in this zone check box.

NOTE : You cannot assign a Web site to the Internet zone. The Internet zone contains all Web sites that are not on your computer or in the local intranet zone, or that are not already assigned to another zone.

For additional information about how to resolve behaviors that are not resolved by the preceding steps, click the article number below to view the article in the Microsoft Knowledge Base:

Q319585 WINUP - Error 'Software update incomplete, this Windows Update software did not update successfully'

The third-party contact information included in this article is provided to help you find the technical support you need. This contact information is subject to change without notice. Microsoft in no way guarantees the accuracy of this third-party contact information.

Published	Mar 22 1999 9:48AM	Issue Type	kbhowto
Last Modifed	Apr 19 2002 1:10AM	Additional Query Words	5.50 5.5
Keywords	kbenv msiew95 msient msiew98