Microsoft has detailed some significant changes in Internet Explorer 7's "security zones" that it claims will eliminate some of the browser's most notorious vulnerabilities.

Security zones are groupings of sites that give them different levels of access to the local system. The zoning system has been an achilles heel for Explorer in the past, with malicious sites able to gain access to the user's system by tricking the browser.

Microsoft's Vishu Gupta, Rob Franco and Venkat Kudulur, writing on the official IE Blog last week, said improvements such as URL parsing in Windows XP SP2 and Explorer 7 have been designed to limit such vulnerabilities. "If there is a flaw in IE’s zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in," they wrote.

The changes to the zoning system are designed to reinforce these improvements by making the zones themselves less permissive, Microsoft said.

One of the most significant changes for enterprise users will be the elimination of the intranet zone. "We realised that the intranet zone (and its lower restrictions) is not relevant at all to the typical home user running IE," wrote Gupta, Franco and Kudulur.

In Explorer 7, Windows machines that aren't on corporate networks will treat apparent intranet sites as Internet. "This change effectively removes the attack surface of the intranet zone for home PC users."

If the machine has joined a domain, the browser should automatically detect intranet sites and run them under the usual, more permissive rules, Microsoft said. If the auto-detect mechanism doesn't work for whatever reason, admins will be able to set group policy for the intranet to ensure things work properly.

Users will also be able to implement intranet settings for particular sites, Microsoft said. "IE will show an information bar when visiting a probable intranet site," wrote Gupta, Franco and Kudulur. "If a user wants to re-enable their intranet zone, they'll be able to."

Internet zone and trusted sites

The other changes will be to the Internet zone and the trusted sites zone, Microsoft said. Settings will be locked down for the Internet zone - it will run in Protected Mode on Windows Vista, and the ActiveX Opt-In feature will apply. This feature will give attackers one more barrier to get through before they will be able to execute malicious ActiveX controls, one of the more common ways of attacking Windows systems, Microsoft said.

The locked-down settings used in the Internet zone will be given a new designation: "Medium-High".

Microsoft said it has decided the trusted sites zone is probably too permissive to be safe. "We find that many users don’t understand how powerful a site becomes when they make it a Trusted Site. For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user’s machine," wrote Gupta, Franco and Kundulur.

By default Explorer 7 will assign "trusted sites" a "Medium" security level, the level given to Internet-zone sites under Explorer 6, Microsoft said. Users will get the option of manually lowering the trusted-sites security settings back to the Explorer 6 level via Internet Options or through policy settings, Microsoft said.