Internet Explorer Zone Elevation Blocks

Applies To:Windows Server 2003 with SP1
Note
The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does Zone Elevation Blocks do?
When a Web pageis opened in InternetExplorer, InternetExplorer puts restrictions on what the pagecan do, based on where
that Web pagecamefrom: theInternet,a local intranet server,a trusted site,and so on.For example, pages on theInternet
havestricter security restrictions than pages on a user’s local intranet.Web pages on a user’s computer arein theLocal
Machinesecurity zone, wherethey havethefewest security restrictions.This makes theLocal Machinesecurity zonea prime
target for malicious users. ZoneElevation Blocks makes it harder to get codeto run in this zone. In addition,Local Machine
ZoneLockdown makes thezoneless vulnerableto malicious users by changing its security settings.
Who does this feature apply to?
Web developers must plan changes or workarounds for any possibleimpact to their Web site.
Application developers should review this featureto plan to adopt changes in their applications that run in theLocal Machine
security zone. Becausethefeatureis notenabled for processes other than InternetExplorer by default, developers must
register their applications to takeadvantage of thechanges.
End users might beaffected by sites thatare not compatible with thesestricter rules and settings.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Zone Elevation Blocks
Detailed description
InternetExplorer prevents the overall security context for any link on a pagefrom being higher than thesecurity context of the
root URL.This means, for example, thata pagein theInternet zonecannot navigateto a pagein theLocal Intranet zone. A
script, for example,could not causethis navigation.For the purpose of this mitigation, thesecurity context ranking of thezones,
from highest security context to lowest, is: Restricted Sites zone, Internet zone,Local Intranet zone,Trusted Sites zone,and
Local Machinezone.
ZoneElevation Blocks also disables JavaScript navigation if thereis no security context.
If a user clicks a link that causes the Web siteto attempt to navigateto a higher zone, navigation is blocked for navigation to
theLocal Machinezone, buta dialog box will appear in InternetExplorer when a Web pageattempts to open a pagein a
security zonethat has a higher security contextand you will be prompted as in thefollowing message.Theitalicized portion
changes,according to thesecurity zonethat the Web pageis attempting to navigateto.
Thecurrent Web pageis trying to open a sitein your Trusted sites list. Do you want to allow this?
In any case, the defaultaction does notallow thezoneelevation.The user mustexplicitly allow therequested zoneelevation.
Why is this change important?
Elevation of privilegeis one of the mostexploited vulnerabilities in InternetExplorer, with the ultimate goal of running
malicious codein theLocal Machinezone. ZoneElevation Blocks helps mitigate many privilegeescalation attacks.
What works differently?
Navigation from onezoneto a “higher” zoneis blocked.This means that Web pages thatautomatically call more privileged
Web pages fail.
How do I resolve these issues?
If you havea trusted Web application that is impacted by this change becauseit navigates between different security zones
without user interaction,you should map the domains that the Web application uses into thesecurity zone with theleast
privilege necessary to perform thetask for which theapplication was designed.