A critical step in protecting your network is to prevent users from accessing unauthorised Web sites. Malicious code on these sites can wreak havoc on crucial network systems and can destroy mission-critical information. But although there are several options for blocking this access, they are not always foolproof.
Some network administrators add a list of forbidden Web sites to the company's firewall, but it's impossible to catch all of the sites that should be blocked. Plus, using a firewall for this purpose could seriously degrade its performance.
Running special third-party software designed to block
certain types of content on a dedicated server is a better method, because the
vendor usually provides a database containing a listing of all prohibited Web
sites. But the software can be expensive, and because all outbound requests must
be compared against the database, it can drastically decrease your company's
Internet access speed.
Perhaps the easiest method of blocking access to
restricted sites is done directly through Internet Explorer (IE), by using IE to
filter content from your network and prohibit certain malicious scripts from
running.
Second in a series
Last
week's installment explored customising IE's security zones to block
harmful content from infiltrating your network. Next week's article will
discuss more methods of customising IE's
security.
Getting started
Selecting the Internet Options command from IE's Tools menu will bring up the Internet Options properties sheet. Select the Content tab, and click the Enable button in the Content Advisor section to bring up the Content Advisor properties sheet.
The first tab you'll encounter on this
properties sheet is the Ratings tab, shown in Figure A.
| Figure A |
 |
Many Web sites are rated by the Recreational Software Advisory Council (RSACi), in the same manner that movies and television shows are rated. The Ratings tab allows you to set the RSACi rating that you'll permit in the categories of Language, Nudity, Sex, and Violence.
You can break down each category to determine the level that you think is acceptable. For example, you could break down the Nudity category to permit none, revealing attire, partial nudity, frontal nudity, or a provocative display of frontal nudity (Figure B).
| Figure B |
 |
The only problem with going by RSACi ratings is that not all sites are rated. If you aren't too wild about the idea of an unapproved site slipping through the cracks, then you can use the Approved Sites tab (Figure C) to specifically tell IE which sites should be allowed and which sites should never be allowed. Because this tab works based on a site's URL, it's totally independent of any ratings.
| Figure C |
 |
Of course, if you'd rather stick to playing the ratings game, then you have some more options. The General tab (Figure D) allows you to use other Internet rating systems, such as SafeSurf, to either replace RSACi or work in conjunction with it.
| Figure D |
 |
Protect against malicious code
Now that you've got an idea of how to limit access to
some sites and control how Internet Explorer responds to potentially harmful
content, it's time to take a closer look at that dangerous content. While IE's
security zones settings can block access to ActiveX controls, why would you need
to prohibit such access?
Obviously, you can use--and I recommend--antivirus
programs like Symantec's
Norton AntiVirus or McAfee's
VirusScan. Unfortunately, antivirus software isn't designed to detect all
types of malicious scripts. It also takes a relatively destructive script to
trigger an antivirus alert.
The threat you'll more likely encounter while
surfing is a Web-based Trojan horse, a program that contains harmful code or
malicious scripts designed to control or damage your computer or network.
Fortunately, you can configure IE to prevent such scripts from
running.
On the Security tab of the Internet Options properties sheet,
you might have noticed a Custom Level button. If you click this button, you can
take full control over every aspect of Internet Explorer's security
settings.
For most of the options that are available (such as allowing
Java scripting), you may either enable or disable the operation. You can also
use the Prompt option to allow users to decide if they want the script to run or
not.
The primary type of potentially destructive script is a Java applet,
which can unleash pure evil upon your system. I once encountered a Java applet
that attempted to modify my Windows registry. Had Norton AntiVirus not
intercepted the operation, I might have never known that anything was wrong
until it was too late.
While Internet
Explorer's security zones can determine the types of scripts that are
allowed to run, if you haven't added a site to a security zone, Internet
Explorer will simply use the default settings. These default settings allow
fairly liberal Java applet behavior, but I recommend placing the Java
Permissions into the High Safety category (Figure E).
| Figure E |
 |
If you're still leery of Java applets, you could completely disable Java for the Internet security zone. You might also choose to disable scripted paste operations, disable scripting altogether, or simply disable scripting of Java applets.
Of course, Internet Explorer doesn't limit you to enabling or disabling an option. You always have the choice of prompting the user as to whether or not to run a script.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
© 2001 TechRepublic, Inc.
