Internet Explorer Enhanced Security Configuration is designed to reduce your server’s exposure to security threats. To ensure that you get the most benefit from the enhanced security configuration, consider these browser management recommendations:

  • All Internet and intranet sites are assigned to the Internet zone by default. If you trust an Internet or intranet site and need it to be functional, add the Internet site to the Trusted sites zone and add the intranet site to the Local intranet zone.
  • If you want to run a browser-based client application over the Internet, you should add the Web page that hosts the application to the Trusted sites zone.
  • If you want to run a browser-based client application over a protected and secure local intranet, you should add the Web page that hosts the application to the Local intranet zone.
  • Add internal sites and local servers to the Local intranet zone to make sure you have access to, and can run, applications from your servers.
  • Use unattend.txt to add intranet sites and UNC servers to the Local intranet zone inclusion list as part of the installation process. For more information, see the Readme file in Deploy.cab on the Windows product CD.
  • Use client computers to download drivers, service packs, and so on, and avoid any browsing on servers.
  • If you use disk imaging to install operating systems on your servers, add the intranet sites and UNC servers you trust to the Local intranet zone and add the Internet sites that you trust to the Trusted sites zone on the base image. You can then change the list for images relative to different server types and needs.

Add sites to the Trusted sites zone

When Internet Explorer Enhanced Security Configuration is enabled on your server, the security settings for all Internet sites are set to High. If you trust a Web page and need it to be functional, you can add that page to the Trusted sites zone in Internet Explorer.

  1. Navigate to the site that you want to add.
    • If you are already viewing the site that you want to add, continue to step 2.
    • If you know the URL of the site that you want to add, open Internet Explorer, type the site URL in the Address bar, and then wait for the site to load.
  2. On the File menu, click Add this site to, and then click Trusted Sites Zone.
  3. In the Trusted sites dialog box, click Add to move the site to the list, and then click Close.
  4. Refresh the page to view the site from its new zone.
  5. Check the Status bar of the browser to confirm that the site is in the Trusted sites zone.

Notes

  • If an Internet site tries to use scripting or ActiveX controls, a dialog box is displayed to notify you. You can add the Internet site to the Trusted sites zone directly from this dialog box. If you have disabled this dialog box, you can re-enable the dialog box in Internet Explorer. On the Tools menu, click Internet Options. On the Advanced tab, select Display enhanced security configuration dialog.
  • A Web page can be part of only one zone at a time — you cannot add a page to both the Trusted sites zone and the Local intranet zone.
  • When you add a Web page to the Trusted sites zone, you are adding the domain for that page. Therefore, all pages within that domain are also added. For example, if you add http://www.microsoft.com/windowsxp/expertzone/  to your Trusted sites zone, you are adding http://www.microsoft.com . If you then want to view the Windows Help and Support site, you will have to add http://support.microsoft.com  separately, because the Windows Help and Support site is a separate domain.
  • Internet Explorer maintains two different lists of sites for the Trusted Sites zone. One list is in effect when the enhanced security configuration is enabled, and a separate list is in effect when the enhanced security configuration is disabled. When you add a Web page to the Trusted sites zone, you are adding it only to the list that is currently in effect.
  • You can use wildcards to add all sub-domains for a given domain. For example, you can add *.microsoft.com to the list, which adds both www.microsoft.com  and support.microsoft.com.
  • Many Internet sites use more than one domain to host their content. You may have to add several domains to the Trusted sites zone to have full functionality for one site.
  • During installation you can add many sites at one time to the Trusted sites zone by using certain settings in unattend.txt. For more information, see the Readme file in Deploy.cab on the Windows product CD. You can also use Group Policy to add and manage multiple sites. For more information, see the Microsoft Windows Server 2003 Deployment Kit.

Add sites to the Local intranet zone

When Internet Explorer Enhanced Security Configuration is enabled, the security settings for all intranet sites are set to High. As a result, you are prompted for your credentials (your user name and password) each time you visit intranet sites that have not been added to the Local intranet zone. If you routinely use intranet sites, and you know those sites are trustworthy, you can add them to the Local intranet zone in Internet Explorer.

  1. Navigate to the site that you want to add.
    • If you are already viewing the site that you want to add, continue to step 2.
    • If you know the URL of the site that you want to add, open Internet Explorer, type the site URL in the Address bar, and then wait for the site to load.
  2. On the File menu, click Add this site to, and then click Local Intranet Zone.
  3. In the Local intranet dialog box, click Add to move the site to the list, and then click Close.
  4. Refresh the page to view the site from its new zone.
  5. Check the Status bar of the browser to confirm that the site is in the Local intranet zone.

Notes

  • Do not add Internet sites to the Local intranet zone, because your credentials are passed automatically to the site if they are requested.
  • A Web page can be part of only one zone at a time — you cannot add a page to both the Trusted sites zone and the Local intranet zone.
  • The enhanced security configuration also restricts access to scripts, executable files, and other potentially unsafe files on a UNC path unless it is added to the Local Intranet zone explicitly. For example, if you want to access \\server\share\setup.exe, you must add \\server to the Local intranet zone.
  • When you add a Web page to the Local intranet zone, you are adding the domain for that page. Therefore, all pages within that domain are also added. For example, if you add http://YourIntranetServer/SubWeb to your Local intranet zone, you are adding http://YourIntranetServer.
  • Internet Explorer maintains two different lists of sites for the Local intranet zone. One list is in effect when the enhanced security configuration is enabled, and a separate list is in effect when the enhanced security configuration is disabled. When you add a Web page to the Local intranet zone, you are adding it only to the list that is currently in effect.
  • During installation you can add many sites at one time to the Local intranet zone by using certain settings in unattend.txt. For more information, see the Readme file in Deploy.cab on the Windows product CD. You can also use Group Policy to add and manage multiple sites. For more information, see the Microsoft Windows Server 2003 Deployment Kit.

 

MR. B