Internet Explorer Browser Controls:
Within IE are four4 configurable zones allowing various levels of trust zone-by-zone (some zones allowing site-by-site control):- Internet: This zone handles all the billions of Web sites you haven’t placed in any other zone -- the zone control IE uses for the majority of the Net. The default setting is Medium.
Local Intranet: This zone handles Web sites that are on your organization’s intranet. If you are not on a network, you should never enter any Web address into this zone -- if you are on a Network, you should not enter any Web address that is outside of your infrastructure. The default setting is Medium-low.
Trusted Sites: This zone handles Web sites that you trust not to damage, alter, or steal from your computer -- so, you must keep-in-mind that any third-party content on any site placed within the Trusted Sites zone will run with the same privileges as the site it is displayed on. Note: You do not place eBay.com within the “Trusted Sites” zone for this very factor. The default setting is Low.
Restricted Sites: This zone handles Web sites that could potentially cause harm to your computer or data. The default setting is High.
Local Machine: This is an implicit (and hidden) zone for content that exists on the local computer. The content found on the user’s computer, except for content that IE caches on the local system, is treated with a high level of trust... One reason that it is unwise to save webpages to the computer. However, in WindowsXP SP2 the Local Machine zone lockdown feature causes IE to apply additional security that is even more restrictive than the default Internet zone settings.
Within those zones are controls for:
- .NET Framework-reliant components:
This setting may not be available unless dotNET Framework is installed in your system. Authenticode is the digital signature system which verifies only that the code has not changed since it was signed and that the certificate was originally issued by the certificate authority.
- ActiveX controls and plug-ins:
These are executable programs that add certain functions/features to the browser. The IE browser will use these programs to interpret and handle various types of documents and media formats such as PDF files, Macromedia Flash files, Apple QuickTime files, Microsoft Media Player files, etc. Many of the ActiveX programs are present in the default installation of IE. However, third parties can write custom ActiveX controls and plug-ins that perform any function desired.
It is important to know that all ActiveX controls and plug-ins run on the Local Machine level (a hidden fifth zone in the browser) and have access to all files and settings that the computer user does subject to restrictions in the browser -- and those restrictions are dependant upon the absence of vulnerabilities in both the browser and the ActiveX controls themselves. Any vulnerability may allow malicious software to perform unauthorized or dangerous actions on the computer. This fifth zone is even more lenient than the “Local Intranet” zone. There is a complex registry hack to disable ActiveX control within this zone, however, doing so will render most of your MS and third-party software applications worthless... Your best defense is to be extremely aware of all downloads AND to use an ALTERNATIVE BROWSER whenever possible.
Please understand that an ActiveX control that is “signed” is no guarantee of its functionality, trustworthiness, nature, or reliability. The signature just means somebody has acknowledged writing the software.
- File download:
This is a self-explanatory setting that allows you to download files. It is very possible that these files could contain malicious code so make sure that you have properly updated Anti-Viral software installed.
- Java permissions:
This allows Java Applets to run outside of the protected area to perform high level functions such as accessing various system resources and files. They are usually integrated into Web pages and run by a browser whenever that page is opened. As with ActiveX controls, if Java Applets are allowed to run on your computer there is a possibility that a malicious program could be instructed to run.
- Access data sources across domains:
This allows IE to access pages that receive data from multiple sources in different domains. If allowed, the page may contain content from sites that you should not necessarily trust.
- Allow META REFRESH:
The Meta Refresh setting allows you to be redirected from one Web page to another after a certain amount of time. If allowed you may get redirected to a web page that you don’t want, possibly one that has a malicious program -- however, the function is often used legitimately on many web pages to redirect to you to the newest version of that page.
- Display mixed content:
This allows you to view a Web page that contains both secure (HTTPS) and non-secure (HTTP) content. It's best to be warned when encountering such pages.
- Don’t prompt for client certificate selection when...:
This setting determines whether or not you are prompted to select a certificate when you don’t have a trusted certificate or only one trusted certificate has been installed on the computer.
- Drag and drop or copy and paste files:
Another self-explanatory setting that allows you to drag and drop or copy and paste files from a web site to your computer. Again, make sure you have properly updated Anti-Viral software installed.
- Installation of desktop items:
This setting controls whether or not you are allowed to install DeskTop objects from a Web page. Since DeskTop items could be an ActiveX control they could contain malicious code.
- Launching programs and files in an IFRAME:
This controls whether or not you can download files or run applications from an IFRAME element on a web page if that IFRAME element contains directory or folder references. This setting was in response to a security vulnerability that allowed a malicious web page to read files on your computer.
- Navigate sub-frames across different domains:
Navigating sub-frames across different domains allows IE to load and display content that originated from different domains. This is a vulnerability that could allow a malicious web page to open another browser, another site’s main frame, and then set any sub-frames to any web site they want.
- Software channel permissions:
This allows the automatic installation of software updates from web channels within the zone. A software channel is a subscription based service that allows web sites to automatically notify users of software updates and also deliver and install the updates on their computers. If allowed there is the potential that a malicious program may be downloaded and installed on your computer.
- Submit nonencrypted form data:
This setting allows IE to submit non-encrypted form data on sites within the zone.
- Userdata persistence:
This allows Web sites to save a small file to your computer that helps the site remember personal information about you. This is one of those troubling settings -- if you are truely paranoid, disable it.
- Active scripting:
This setting allows the execution of Active scripts, programs written in ActiveX, JavaScript, or VBScript. Additionally, scripts can call on the services of locally installed ActiveX controls or plug-ins, and Java applets -- allowing these scripts to automatically execute is one of biggest vulnerabilities in IE. There is the potential that a malicious program may be executed on your computer. The Nimda virus used Active scripts to infect people while they were surfing the web.
- Allow paste operations via script:
This controls whether or not scripts are allowed to copy and paste information using the clipboard. A malicious script on a Web site could access your ClipBoard’s contents and then forward it to another site.
- Java applets:
These are similar to ActiveX controls and plugins but run in a restricted environment provided by the Java Virtual Machine (JVM). This environment is intended to prevent applets from performing any damaging action on the Local Machine but that protection depends entirely on the the computer's updates involving the JVM.
Safer Browsing with Internet Explorer:
Internet Zone |
|
| .NET Framework-reliant components | |
| Run components not signed with Authenticode ?Not available unless dotNET Framework is installed in your system. | Prompt |
| Run components signed with Authenticode ?Not available unless dotNET Framework is installed in your system. | Enable |
| ActiveX controls and plug-ins | |
| Automatic prompting for ActiveX controls ?Available only in Internet Explorer 6.x as found in WinXP SP2. This setting controls the behavior of the Information Bar when ActiveX controls are blocked from being downloaded when you visit a Web site. The ENABLE setting turns off the Information Bar and allows Web sites to directly prompt you when downloading ActiveX controls. | Disable |
| Binary and script behaviors ?Available only in Internet Explorer 6.x as found in WinXP SP2. Restricts binary and script behavior in the Restricted Sites and the Local Machine level. To be truly safe, DISABLE would be an appropriate setting, however disabling this feature will adversely affect OutLook Express and a few Web sites. | Enable |
| Download signed ActiveX controls | Prompt |
| Download unsigned ActiveX controls | Disable |
| Initialize and script ActiveX controls not marked as safe | Disable |
| Run ActiveX controls and plug-ins | Prompt |
| Script ActiveX controls marked safe for scripting | Prompt |
| Downloads | |
| Automatic prompting for file downloads ?Available only in Internet Explorer 6.x as found in WinXP SP2. Controls the behavior of the Information Bar when a Web site tries to download one or more files that you might not have specifically requested. IE blocks the file download but loads the Web page and alerts the user via the Information Bar... The ENABLE setting turns off the notification by Information Bar and will allow web sites to directly prompt you when downloading files. | Disable |
| File download | Enable |
| Font download | Prompt |
| Microsoft VM | |
| Java permissions | High safety |
| Miscellaneous | |
| Access data sources across domains | Disable (or Prompt) |
| Allow META REFRESH | Enable |
| Allow scripting of Internet Explorer Webbrowser controls | Disable |
| Allow script-initiated window without size or position constraints | Disable |
| Allow Web pages to use restricted protocols for active content | Prompt |
| Display mixed content ?Warns of mixed content... If the "Display mixed content" setting is set to ENABLE, you do not receive a warning message and nonsecure content will be displayed. If the "Display mixed content" setting is set to DISABLE, you do not receive a warning message and the nonsecure content cannot be displayed in the browser window. | Prompt |
| Don't prompt for client certificate selection when... | Disable |
| Drag and drop or copy and paste files | Prompt |
| Installation of desktop items | Disable |
| Launching programs and files in an IFRAME | Disable |
| Navigate sub-frames across different domains | Disable |
| Open files based on content, not file extension | Disable |
| Software channel permissions | Medium safety |
| Submit nonencrypted form data | Enable |
| Use Pop-up Blocker ?Install the Google ToolBar instead. | Disable |
| Userdata persistence | Enable |
| Web sites in less privileged web content zone can navigate into this zone | Enable |
| Scripting | |
| Active scripting | Disable (or Prompt) |
| Allow paste operations via script | Disable (or Prompt) |
| Scripting of Java applets | Prompt (or Disable) |
| User Authentication | |
| Logon | Automatic logon only in Intranet zone |
Using the IE_eBay Browser Tweak:
Restricted Sites Zone |
|
| .NET Framework-reliant components | |
| Run components not signed with Authenticode | Disable |
| Run components signed with Authenticode | Disable |
| ActiveX controls and plug-ins | |
| Automatic prompting for ActiveX controls | Disable |
| Binary and script behaviors | Disable |
| Download signed ActiveX controls | Disable |
| Download unsigned ActiveX controls | Disable |
| Initialize and script ActiveX controls not marked as safe | Disable |
| Run ActiveX controls and plug-ins | Disable |
| Script ActiveX controls marked safe for scripting | Disable |
| Downloads | |
| Automatic prompting for file downloads | Disable |
| File download | Disable |
| Font download | Disable |
| Microsoft VM | |
| Java permissions | Disable Java |
| Miscellaneous | |
| Access data sources across domains | Disable |
| Allow META REFRESH | Disable |
| Allow scripting of Internet Explorer Webbrowser controls | Disable |
| Allow script-initiated window without size or position constraints | Disable |
| Allow Web pages to use restricted protocols for active content | Disable |
| Display mixed content | Disable |
| Don't prompt for client certificate selection when... | Disable |
| Drag and drop or copy and paste files | Prompt |
| Installation of desktop items | Disable |
| Launching programs and files in an IFRAME | Disable |
| Navigate sub-frames across different domains | Disable |
| Open files based on content, not file extension | Disable |
| Software channel permissions | High safety |
| Submit nonencrypted form data ?This is the only Restricted Sites zone setting that is 100% necessary to adjust for the IE_eBay browser tweak, however, the alerts you will recieve caused by the default Restricted Sites zone "prompt" settings will drive you nuts, so, for your sanity, it is best to adjust all RS zone settings per these instructions. | Enable |
| Use Pop-up Blocker | Disable |
| Userdata persistence | Disable |
| Web sites in less privileged web content zone can navigate into this zone | Disable |
| Scripting | |
| Active scripting | Disable |
| Allow paste operations via script | Disable |
| Scripting of Java applets | Prompt |
| User Authentication | |
| Logon | Prompt for user name and password |
Restricted URLs
These are the eBay related URLs that I have in the "Restricted Sites" zone:
- http://*.2o7.net --> (that's a lower case "o"/not zero)
http://*.admarketplace.net
http://*.andale.com
http://ads.web.aol.com
http://ar.atwola.com
http://*.auctiva.com
http://*.doubleclick.com
http://ad.doubleclick.net
http://ebay.doubleclick.net
http://*.doubleclick.net
http://banners.ebay.com
http://bibo.ebay.com
http://include.ebay.com
http://include.ebaystatic.com
http://*.ebayobjects.com
http://pics.ebaystatic.com
http://thumbs.ebaystatic.com
http://promo.ebay.com
http://*.ebaypromo.com
http://listings.ebay.com
http://*.listings.ebay.com --> (SEE BELOW)
http://*.search-desc.ebay.com --> (SEE BELOW)
http://*.search.ebay.com --> (SEE BELOW)
http://search.ebay.com
http://search-desc.ebay.com
http://search.ebaymotors.com
http://search.stores.ebay.com
http://keyword.ebay.com
http://attr-search.ebay.com
http://www.ebay.com
http://srv.main.ebayrtm.com
http://*.esomniture.com
http://*.omniture.com
http://adfarm.mediaplex.com
http://altfarm.mediaplex.com
http://*.mediaplex.com
https://secureinclude.ebaystatic.com
https://securepics.ebaystatic.com
Don't use the asterisk (*) wildcard in these three3 URLs if you visit the Mature Audiences section of eBay. To visit eBay's Mature section, your browser must be able to accept a cookie from that category. You can still restrict other category browse and search results pages that you frequent by using the full URL... Examples:
- http://books.listings.ebay.com
http://music.listings.ebay.com
http://pottery-glass.search-desc.ebay.com
http://jewelry.search-desc.ebay.com
http://collectibles.search.ebay.com
http://clothing.search.ebay.com
Good Luck!
