At the IEBlog, Microsoft’s Vishu Gupta, Rob Franco and Venkat Kudulur ask and answer the question, Dude, where’s my intranet zone?
Internet Explorer enforces security rules for websites by grouping them into categories or “security zones”. Today we want to explain the changes to security zones you’ll see in IE7 …
Despite the URL parsing improvements; our threat-models will continue to drive us to add defense-in-depth against Zone-spoofing threats. We realized that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE. One of our interns this summer, Robert Liao, changed IE’s logic so that a Windows machine that is not on a managed corporate network will treat apparent Intranet sites as Internet. This change effectively removes the attack surface of the intranet zone for home PC users.
Of course, in enterprise IT networks, sites in the intranet zone have to just work exactly like they do today. IE7 will check if the machine has joined a domain. If a machine has joined a domain, as you would expect, IE7 will automatically detect intranet sites and run them with settings for the Intranet zone.
This may be nice for larger enterprise networks with a Microsoft domain setup, but some problems come to mind for smaller businesses and heterogenous environments.
There will be cases where IE might not detect an enterprise IT network correctly. For example, a PC might be on a workgroup rather than a domain or it may not have joined the domain. For those cases, network admins will be able to set group policy on the settings for the Intranet to make sure that IE behaves as they wish. Even if the network admin can’t set policy, IE will show an information bar when visiting a probable intranet site. If a user wants to re-enable their intranet zone, they’ll be able to.
At least there’s an escape mechanism. I don’t doubt the innovation involved in making Internet Explorer serve many different purposes with the security zone system, but the emphasis seems to be on serving either home users or business users in large, all Microsoft enterprises when there is a substantial middle ground as well.
Hit the link for details on IE7 changes in the Internet and Trusted security zones as well, including making the Internet zone run in Protected Mode.