Securing internet explorer.

[zoooom 0]

Is there a way to use some kind of lockout on ie so that it can only affect local files such as cookies and favorites... If a power user is using ie and has permissions to delete certain files does ie have these permissions when ran by that user? Doesnt this mean that if a bug/exploit were found in ie it could infect the host? Im trying to find a way to run the program as an unpriveledged account.. I can do this with "run as" but this isnt going to work every time. Something tells me that microsoft has secured ie internally somehow without needing a special user attached to it.. But it would be a great feature not only for ie but other apps as well to force an unpriviledged user or even better.. a policy on the application that says it can only effect the profile in documents and settings and/or specific folders. This would really help in securing applications like ie... Lately ive been just really paranoid..

[zoooom 0]

Yeah see this is exactly my point. Ok say im logged in as an administrator ( which i wont use to surf the web but lets just pretend ) and I start surfing the web... I hit a malicous website that knows about a new exploit that I havent patched yet or simply m$ is unaware of yet... If they do exploit ie it will be able to infect system files.. delete system files or pretty much anything that an administrator can do... Of course there are ie settings that can prevent this.. Different security zones, etc etc.. But this will never garantee safety.. If a user such as admin/power user or even a regular user.. I want to be able to restrict access to files for an application no matter who runs it. ntfs would solve the problem if i could force ie to run on an unpriveledged account. I could create an account called IE_USR.. That would have access to documents and settings only... Then no matter what happened to the browser the ntfs permissions would trap any attempt to harm critical files. Even if Administrator is using it. I think this should be a requirement for all applications.. it could prevent the spreading of virii to the system.. why should an application be given full rights such as an administrator. It should be sortof jailed into the files/folders that it only needs. In fact defaulting executables to no access would be fantastic. Then creating policies on the application for what actions it can perform. This would be very secure.. virii couldnt spread.

[DS3Circuit 0]

Make Web Browsing with Internet Explorer More Secure: Use Web Content Zones

 

http://www.pericson.com/writings/ie_zones.shtml

 

Also, if this is on a grand scale, there are certain internet appliances that filter active x, j script, and such on a layer 7 implementation.

[zoooom 0]

Quote:

Ok, this is policies stuff... you can limit what apps can be run, or NOT run, & the best way to do this on a LAN is to use roaming profiles that are stored on another machine that only YOU as the domain admin have rights to on the files & folders. You can stall them RIGHT there, by their profiles (parts of their registry hives stored remotely, not just the profiles folders you see on your machine). Other networking types here can tell you pretty much the same.

I just learned about roaming profiles the other day. Very cool stuff. I am learning new stuff every day so I will probably end up getting around to it.. Group policies isnt something I have totally gone through yet.. Only have sortof glanced at. After hearing what you said I think It will probably contain at least someone Im looking for.

[zoooom 0]

Quote:

Make Web Browsing with Internet Explorer More Secure: Use Web Content Zones

The only problem with zones are its still not 100% safe. And it completely restricts access to sites like download.com and even microsoft ( with the new improved security ) Even still... Im looking for more of a way to allow the os to secure it not ie... So that when the ball starts to roll the operating system will have the last word. Not ie.

Quote:

Also, if this is on a grand scale, there are certain internet appliances that filter active x, j script, and such on a layer 7 implementation.

Yes i have seen this... enterprise firewall? Very neat... blocks popups too. I cant cripple activex completely... ActiveX is actually needed for macromedia flash, shockwave.. Which i trust. But I dont see how it needs to be give rights to modify dll. Should have read only access to dll.