Carlpedia
Skip to end of metadata
Go to start of metadata

Introduction

Internet Explorer defines 4 visible security zones, in descending order of most to least trusted:

  • Local Intranet
  • Trusted Sites
  • Internet
  • Restricted Sites

Every network reference in Windows is interpreted as being in one of these zones. Note: this is true whether Internet Explorer is used or not; i.e., Mozilla Firefox, Adobe Reader X, and Windows Explorer obey these zone definitions too. (Here is the Microsoft technical explanation.) There are zone configuration settings at both the machine and user level.

Why the Defaults Don't Work as Expected

By default, network resources are in the Internet Zone, on which the default security level is Medium-high. (And IE Protected Mode is enabled in Windows 7 and later for the Internet and Restricted zones.) This relatively high security level causes unwanted warning messages to appear when using many local intranet services, like Moodle. And sites in the Internet and Restricted zones have pop-up windows (popups) blocked, while sites in the Local Intranet and Trusted Sites zones do not. Don't change the security level of a zone or set a custom level; instead, add the network resource to the appropriate security zone, as described below.

Which Security Zone is Being Used?

First, check which security zone the network resource is using. Open Internet Explorer (IE) and enter the URL of the network service. Right-click an empty spot on the page and choose Properties, where you'll see the Zone: field in about the middle. If the zone for this network service is Internet, you can resolve problems for the currently logged in user by adding the network service to a more trusted zone, where the security level is lower.

Local Intranet Zone

Network services at Carleton that are supported by ITS should be placed in the most trusted zone, the Local Intranet zone, whose default security level is Medium-low. To do this, open Control Panel->Internet Options->Security tab. Select the Local intranet icon, and then choose the Sites button. Choose the Advanced button to change list of sites interpreted as being in the Local intranet. Note: the checkbox "Automatically detect intranet network" may or may not be checked; if you have to change it to select the Advanced button, do so. On the Local intranet dialog window, type the Carleton site in this format: whatever.carleton.edu or whatever.sub.carleton.edu, then select the Add button. (Example: colleague.carleton.edu). You don't have to add any resources that are already in the ads.carleton.edu, its.carleton.edu, or servers.carleton.edu subdomains; these are already covered by the wildcard entries you see at the top of the list. Make sure the checkbox at the bottom, "Require server verification (https:) for all sites in this zone" remains unchecked, then choose Close.

Trusted Sites Zone

Network services outside Carleton that are know to be safe should be placed in the second most trusted zone, the Trusted Sites zone, whose default security level is Medium. To do this, open Control Panel->Internet Options->Security tab. Select the Trusted sites icon, and then choose the Sites button. On the Trusted sites dialog window, type the network service in this format: whatever.domain.xxx or whatever.sub.domain.xxx, then select the Add button. (Example: update.microsoft.com). Make sure the checkbox at the bottom, "Require server verification (https:) for all sites in this zone" remains unchecked, then choose Close.

Where Did The Zone Site Lists Come From?

As part of the Carleton build of Windows, a script is run to pre-populate the IE Security Zones for Carleton at both the machine and default user levels, as described above. A user may run this script from the KBOX user portal : "IE Security Zones Fix User (2of2)". This changes just this user's security zone definitions, preserving any manual additions the user made. The list shown below may not be up to date; see the KBOX K1st script for the definitive list. The items below in italics are new; the items below in strikethrough are deprecated:

  • *.ads.carleton.edu
  • *.its.carleton.edu
  • *.servers.carleton.edu
  • apps.carleton.edu
  • carlwiki.carleton.edu
  • citrix.carleton.edu
  • cognos.carleton.edu
  • colleague.carleton.edu
  • connect.carleton.edu
  • files.carleton.edu
  • helpdesk.carleton.edu
  • k1000.carleton.edu
  • mail.carleton.edu
  • moodle.carleton.edu
  • onbaseweb.carleton.edu
  • remote.carleton.edu
  • scic.carleton.edu
  • support.carleton.edu
  • thehub.carleton.edu
  • vpn.carleton.edu
  • webcheckout.carleton.edu
  • wiki.carleton.edu
  • www.carleton.edu

S.Nissen originally authored the Windows information in this article, but after April 1, 2015, Rebecca Barkmeier will be responsible for the packaging of this Kscript for Windows, so all questions should be directed to her.

Troubleshooting Notes

Network references in different formats that specify the same network resource may be interpreted as different security zones, which changes the security level applied to that network resource. For example, even if all these URLs and UNCs referred to exactly the same page, the security zones would be resolved differently, resulting in different behavior:

  • localhost
  • 127.0.0.1
  • \\mycomputer.ads.carleton.edu\admin$

Here is a more technical utility I (Sande Nissen) trust for exploring IE security zones and settings.