Improvements in Windows XP SP2: How Internet Explorer is safer under the hood in XP SP2
Published: September 22, 2005
By Sandi Hardmeier
Internet Explorer with Windows XP SP2 did much to improve the user experience when surfing the Internet. The Pop-Up Blocker, the Information Bar, the Add-On Manager, and download monitoring are all designed to make our time on the Web safer and more productive.
That being said, there are more changes in Internet Explorer with Windows XP SP2 than meets the eye. Developers and computer professionals have written about mysterious things like Local Machine Zone lockdown, Zone Elevation Blocks, and MIME Handling Enforcement, all of which sound very impressive, but what do they all mean? How do these mysterious changes help make the Internet safer?
All of the above terms refer to changes in Internet Explorer that are designed to help prevent security problems—changes that are not obvious to the end-user, but instead work in the background to reduce risk when surfing the Web. Let's take a look at some of the changes to Internet Explorer, "under the hood", and how they make our Web surfing safer.
Local Machine Lockdown
Internet Explorer uses Web content zones when deciding what sort of restrictions to place on a Web page. For example, Web pages on the Internet are subject to 'Internet' Zone restrictions, HTML pages on a local network are subject to the 'Local Intranet' zone, and HTML pages stored locally, for example on a computer’s hard drive or on a CD run, in the 'Local Machine Zone' (LMZ).
Internet Explorer uses Web content zones to control what a page can or cannot do
You will note that the LMZ (also known as 'My Computer' zone) does not appear in the list of available security zones. Microsoft has hidden this zone by default to ensure that its settings are not accidentally changed. For example, we do not want Web sites to be added to the LMZ by accident or by a hostile Web site, because it would give that page almost complete freedom to run anything it wants.
The Local Machine Zone (My Computer zone) is hidden from users
Historically, Web content in the LMZ has been presumed safe, and few restrictions were placed on what that content could do. Unfortunately, this also meant that if attackers were able to get their code into the LMZ through Internet Explorer, it was easier to attack a computer.
Starting with Windows XP SP2, Local Machine Zone has been locked down for Internet Explorer. In fact, LMZ is more restrictive to Internet Explorer than the normal Internet Zone. This means that even if an attacker succeeds in passing content into the LMZ through Internet Explorer, its ability to cause harm is restricted. Even better, these restrictions have been achieved without affecting other programs that may be installed on the user's computer. By default, Internet Explorer is the only program affected by the LMZ lockdown, although other programs can be written to take advantage of the new lockdown feature if so desired.
That being said, sometimes the LMZ lockdown can pose difficulties for programs if they use Internet Explorer to display HTML content. If a program tries to use Internet Explorer to display content in the LMZ the error message "To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options…" may appear.
The dialogue box can be prevented, and LMZ lockdown disabled, although I encourage you not to make the following changes unless there is a definite need, and then make the setting adjustments described only for as long as is needed to successfully complete a particular task.
There are two user-adjustable settings related to LMZ lockdown. If you are experiencing difficulties when attempting to access data on a CD, click on Tools, then on Internet Options, then on the Advanced tab. Scroll down to the Security settings and enable the option to "Allow active content from CDs to run on My Computer".
If you are attempting to view an HTML page saved to your hard drive within Internet Explorer and that Web page has any active content (such as scripts, java applets, ActiveX, Web counters, banner advertisements, etc.), the Information Bar will appear with a warning about active content.
LMZ lockdown in action
The setting "Allow active content to run in files on My Computer" can be enabled if you face this issue, although I would recommend that you temporarily bypass the restriction by clicking on the Information Bar and selecting "Allow Blocked Content" instead of disabling the protective feature completely.
Zone Elevation Blocks
As mentioned in our discussion about Local Machine Zone lockdown, Internet Explorer assigns security permissions according to Web content zones. In Windows XP SP2, Web sites are no longer allowed to move content into a Web zone that is less restrictive (more trusted) than its original zone.
The most trusted security zone is Local Machine Zone, followed by Trusted sites, Local Intranet, Internet Zone then Restricted Zone. When a Web sites attempts to navigate from a less trusted to a more trusted zone, a dialogue box will appear prompting the user for permission to navigate into a more trusted zone as follows:
The current <zone> site is trying to open a file that is on your <more trusted zone> list. If you trust this <zone> site, proceed by clicking ok."
Or
"The current site is in your Restricted sites list and is trying to open a file that is on the Intranet. We recommend that you do not allow this."
If you wish to disable this protection temporarily, and again I do not recommend you do so unless you are very sure that you trust the Web site in question, you can do so by clicking on Tools, then Internet Options. Navigate to the Security tab. Highlight the Web content zone that you wish to disable this feature in, and click on the Custom Level button. Scroll down to the Miscellaneous option Access data sources across domains and set to Prompt.
MIME Handling Enforcement
MIME stands for "Multipurpose Internet Mail Extensions" and "MIME type" is simply another way of saying "content type" or "media type". Before Windows XP SP2, if a downloaded file was not what it was expected to be, Internet Explorer would examine the file together with information provided by the downloading server and information in the downloading computer's registry to understand what the file was and what program to use, before proceeding to run the file, sometimes with no further user intervention.
On systems running Windows XP SP2, Internet Explorer behaves differently. If Internet Explorer detects that a file has the wrong file type extension, it will try to rename the file with its correct extension, thereby ensuring that the file's true type is not hidden from the downloading computer's owner. Internet Explorer will also compare what the server says a file is to what is actually downloaded. If the reported file type and reality disagree, a file download dialogue box will appear prompting the user for instructions.
MIME Handling Enforcement at work…
If a Web site does not correctly identify an HTML page as HTML (for example, if it reports the page content as plain text), then Internet Explorer will take the site at its word, and display the page as plain text neutralizing any active content that may be hidden on the page.
It is possible to disable MIME Handling Enforcement, although I recommend that you not do so unless there is no viable alternative. Click on Tools, then Internet Options. Navigate to the Security Tab, highlight the Internet Zone and then click on the Custom Level button. Disable the option Open files based on content, not file extension.
Where to from here?
As this article shows, Internet Explorer with XP SP2 uses several layers of security to help protect us from hostile content on the Internet. Internet Explorer 7 will continue to build on these improvements by beefing up security even further in XP SP2 and Longhorn. My personal hope that is, one day, Internet-transmitted malware will be a thing of the past, and what a wonderful day that will be.
