Truested Sites and the Untrusted Internet

How to avoid pop-ups, malicious scripts, and other hazards of Internet Explorer

12 OCT 2004 by Gordon Fecyk, Pan-Am Internet Services

INTERNET EXPLORER IS UNSAFE! Or so says the AARP. And that's not even a group that specializes in computer security. But we don't need to get into a lecture about False Authority Syndrome just yet. And I'm not going to get into how Netscape is Unsafe. No, I don't need to get into that.

Instead I want to get into how to make them safe. If you're already using a limited user account on Windows 2000 or XP, you're already half-way there. But sometimes you need to download and install something from the Internet with full administrator access, such as critical updates from Windows Update, and you might be tempted to surf around to kill some time while it happens.

This edition touches on reintroducing trust to Internet use. The Internet is a network of people, and there are all kinds of people with all kinds of wares. You don't trust everyone to come into your backyard, or your home, so why trust everyone to come into your computer?

SECURITY ZONES in Internet Explorer let you offer that trust to people, and companies on the Internet. This feature lets you decide which web sites, if any, are allowed to run fancy scripts, install browser plugins, or work with web forms on your computer. It also lets you control a lot of other features of Internet Explorer which you might not normally think about, but are easy to exploit and abuse. I will cover Internet Explorer 6.0 in this document, but the concepts apply to any version of IE since IE 4.0, and Netscape 7.0 or later, though the terms may be different. These concepts also work with other operating systems that uses these browsers, including MacOS and most flavours of *IX.

First (if using IE), close any browser windows you have open so the browser's stopped. That way any sites you have open won't interfere with the changes we're about to make. Second, pick Start / Settings / Control Panel, and open Internet Options.

You will get a display box that looks something like this:

IE5 users will get a similar display but without the Privacy tab. IE4 users will lose the Privacy and the Content (or is it the Connections?) tab. But all of these will have the Security tab, where we will do our work.

First, we are going to turn off most of IE's features for the majority of web sites. This is the equivelant of not trusting everybody you see on the street. Click the Security tab and, if not already selected, click on "Internet." Then click on Default level, and change the security setting to "High." This disables most of IE's features, wether or not they are routinely abused. As the display will explain, it is the safest way to browse but also the least functional. When done, click Apply or OK.

If you want, you can click on "Custom Level..." to adjust individual settings. I won't get into detail here, but feel free to experiment.

IF YOU TRY SURFING NOW, you will notice that a lot of fancy capabilities no longer work. Pop-up ads will stop working on sites that use them. Banking sites will stop working too, along with airline sites, many news sites, and so on that depend on your browser's special features. But we are going to turn them back on now, just for those sites.

Go back to the Security tab in the Internet Properties control panel. Now (if not already selected) click on Trusted Sites. It's default security level is "Low," but change it to "Medium" or "Medium-Low" anyway just so you can receive prompts before system-altering things can happen. You can selectively change individual settings here as well, to enable or disable certain features, by clicking on "Custom Level."

Now we need to add sites to the list of Trusted Sites. Click on the "Sites..." button to display its list. By default, nothing is listed. But before we add sites to the list, turn off "Require Server Verification (HTTPS)" so we can add entire domains to this list. Being able to add "*.microsoft.com" to the list of Trusted Sites will make managing the Trusted Sites list a lot easier.

Here is a short list of domains I usually recommend to set as Trusted Sites:

*.microsoft.com (Microsoft corporate domain, Windows Update, Office Update)
*.hotmail.com (Used by MSN Messenger)
*.passport.com (Used by MSN Messenger and Hotmail)
*.passport.net (Used by MSN Messenger and Hotmail)
*.msn.com (Used by MSN Messenger)
*.yahoo.com (Used by Yahoo Messenger and all eGroups / Yahoo Groups sites)
*.yahoo.ca (if using a Yahoo Canada e-mail account)
*.google.com (recommended search engine)

The majority of useful sites that require listing in Trusted Sites work if you add their domains to the list in this fashion. Some sites provide pages from multiple domains, such as most sites sponsored with banner ads, but any special scripts on the banner-ad sites will be disabled and you will see "Unknown Zone (Mixed)" displayed in your browser's status bar.

DEALING WITH TRUSTED SITES TAKES PRACTICE but the payoff is a computer that stays in top shape. You also get the benefit of stopping pop-up ads without having to pollute your machine with more useless software.

A handful of web sites get information from more than one domain. Most of these domains use a third party e-commerce provider such as paypal.com, shareit.com, cafepress.com and a few others. If a site using another domain's information stops working because of these changes, try to ask the site's maintainer what other sites, or domains, they use, and explain to them you want to add them to your browser's Trusted Sites list. If they ask about "Cookies," explain to them that your browser will work with cookies from sites listed in Trusted Sites. And send them a link to this article, too, so they can figure out what you're talking about.

Some of them might go through a chain of sites, such as those using the Verified by Visa program. You'll need to add all of the sites in the chain to the list. I would have provided a list, but there are many of these sites and providing such a list is best left in your hands. After all, what runs on your computer should be up to you. Any site that makes you jump through too many hoops should not be trusted so easily.

Besides, you can turn everything back on in your limited user account and use that to do your online banking and e-commerce. You shouldn't have to install any special software to do business with them, or they too, should not be trusted so easily.

THERE IS A 'RESTRICTED SITES' LIST TOO. I prefer an "opt-in" approach to trust, rather than trusting everyone by default and taking trust away from certain sites. But since you've seen the icon I better explain it.

The Restricted Sites list lets you disable scripting and other features for certain sites and domains. For a while I was recommending putting "*.gator.com" in there for that purpose. But the people who run these sites know this, so they create multiple domains. I really dislike a "whack-a-mole" approach to security.

The Restricted Sites feature is still useful for the Limited User, however. You can disable pop-up windows coming from a certain domain (like "*.doubleclick.net" for example) by adding that to the list of Restricted Sites. Just beware that there could be a very large number of these domains.

The "opt-in" approach, using Trusted Sites and disabling features in the Internet Zone, works much better for trying to stop pop-ups and similar annoyances, even for the Limited User. But it is a lot of work. Pop-ups by themselves aren't nearly as troublesome as some of the garbage their providers try to install on your PC. If you're already using a Limited User account for your daily work, you can close the windows or just log off and log back on to clear them up. And it also won't matter what browser you're using - the next yet-undiscovered exploit in Netscape 7 is just as harmless as the one in Internet Explorer, when running as a Limited User.

Return to Newsletter Archive
Return to Newsletter Home Page