Information stored on the Internet may become available to unauthorized users who exploit security vulnerabilities. One security vulnerability may involve improper access to a particular URL (Uniform Resource Locator) security zone. A URL security zone includes a group of URL namespaces that are assigned an equal level of permissions (or trust). Each URL action for the zone has an appropriate URL policy assigned to it that reflects the level of trust given to the URL namespaces in that zone. The URL actions may include actions that a browser can take that might pose a security risk to the local computer. Actions that might pose a security risk include actions such as running a JAVA applet or an ACTIVEX control. The URL policy that controls these actions within the security zone, determines what permission or trust level is set for a particular URL action. For example, the policy may dictate that the safety level for JAVA be set to high.
Certain browsers divide URL namespaces into URL security zones, which are assigned different levels of trust. The default URL security zones may be customized by changing the URL policy settings for each URL action. Each URL security zone has a set of URL actions with a URL policy assigned to each action. A URL policy is assigned to each URL action to determine how that URL action is handled. A number of default security zones have been created to assist in the assignment of security policies to various browser actions, including the intranet zone, trusted site zone, Internet zone, restricted sites zone, and local machine zone.
Users use the intranet zone for content located on an organization's intranet. Since the servers and information is within an organization's firewall, a user or organization can assign a higher trust level to the content on the intranet.
Users use the trusted sites zone for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet. Users can use this zone to assign a higher trust level to these sites to minimize the number of authentication requests. The user adds the URLs of these trusted Web sites to this zone.
Users use the Internet zone for Web sites on the Internet that do not belong to another zone. This default setting causes the Web browser to prompt the user whenever potentially unsafe content is ready to download. Web sites that are not mapped into other zones automatically fall into this zone.
Users use the restricted sites zone for Web sites that contain content that can cause, or may have previously caused, problems when downloaded. Users can use this zone to cause the Web browser to alert them whenever potentially unsafe content is about to download, or to prevent that content from downloading. The user adds the URLs of these mistrusted Web sites to this zone.
The local machine zone is an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Web browser caches on the local system, is treated with a high level of trust.
An entity attempting to improperly gain access to a user's computer, may attempt to get access through the local machine zone. The entity may attempt to navigate from one zone to a higher security zone, such as to the local machine zone, to gain access to otherwise restricted content. Attempting to “elevate” the zone status of a web page is one method by which an unauthorized entity may infiltrate a user's restricted content.