Configuring Internet Explorer Security Settings -
A step-by-step guide

By John Fitzgibbon
Last updated: Wednesday, April 19, 2006, 01:14 AM PST

Contents
  Introduction
  Modifying the "Internet" and "Secure" Zone Settings
  Adding sites to the "Secure Zone"




Introduction

The following instructions illustrate how to configure Internet Explorer for a more secure online experience.

These settings limit the functionality of Internet Explorer for any websites that you do not explicitly add to your "Secure Zone", (as explained below). This may seem frustrating at times, but there are two major advantages:

1) You will be considerably less likely to fall victim to the "latest and greatest" browser script attacks.

2) Pop-ups, drop-downs, pop-unders and all the other forms of intrusive web advertising will not be displayed, except on sites that are in the "Secure Zone".

Please be aware that these settings will reduce your risk, but will not eliminate all threats. Common sense and a healthy dose of suspicion are still called for when browsing unknown sites. Complacency and carelessness are your worst enemies in the battle to maintain your privacy and security online.


Modifying the "Internet" and "Secure" Zone Settings

menu options
In Internet Explorer,
select the "Tools"
menu, then
"Internet Options".



Select the "Security" tab. This will bring up the screen shown to the right.

To modify one of the four security "zones", click on the zone's icon, then click the "Custom Level..." button.

The two zones we are interested in modifying are the "Internet Zone", (the globe icon), and the "Secure Zone", (or "Trusted Sites" - the green tick icon).

Security Settings


The following diagrams show the settings I use for these zones. Pretty much everything is disabled for the "Internet Zone", while most key features are enabled in the "Secure Zone".
  Internet Zone Settings
Internet Zone Settings
  Secure Zone Settings
Secure Zone Settings



Adding sites to the "Secure Zone"

Having followed the steps above, scripting features will be disabled by default. Over time you will most likely find that you want to enable scripting for certain frequently visited websites. To do this, you will need to add these sites to the "Secure Zone".

To add a site to the "Secure Zone", click on the "Secure Zone" icon in the "Security" tab, then select the "Sites" button. The screen shown on the right will be displayed.

Enter the name of the site to add, (including the "http://" bit), then click the "Add" button.

Note that you can use an asterisk to designate all sites in a particular domain. For example, adding http://*.ibm.com would mean sites such as http://www.ibm.com, http://shopping.ibm.com and http://www.ibm.com/shopping would all be considered part of the "Secure Zone".

Note that sites that use secure forms will use "https://" instead of "http://". The "https://" variant of the URL must be added separately. So, to cover all sites at ibm.com for example, you would need to add two entries:
http://*.ibm.com and https://*.ibm.com

Adding a trusted site
If there are sites that you do not visit very often that require scripting, and you would rather not add them to your "Secure Zone", I'd recommend installing a second browser - Mozilla or the free version of Opera are ideal - and using this second browser for these infrequently visited sites. I typically take this approach when doing occasional online shopping, since most shopping sites use some form of scripting.

No matter what browser you are using, you should not enable scripting for a site unless you are reasonably sure that the site can be trusted. Most major company websites should be okay, but beware when visiting smaller, unknown sites.