It’s no secret that you’re tempting fate if you use Internet Explorer (IE) as your primary browser. This was highlighted recently, when it was revealed that Chinese hackers breached some Google accounts, thanks to an exploit in IE. Even if you don’t use Internet Explorer as your primary browser, sometimes don’t have a choice and must use it. For example, if you’re using Windows XP, you need to use Internet Explorer to run Windows Update. Or, perhaps you’re in a work environment, and your email program opens hyperlinks in IE (opening email links is a danger in and of itself, but that’s a post for another day). Here, then, are five steps to take to lock down Internet Explorer.Photo by volantra.
1. Update
You can solve most of the IE security problems by keeping your system current. This means two things:
- Turn on Automatic Updates in WIndows Update. Depending on your version of IE, this will either be in the Tools menu, or the Security menu. From there, select Windows Update, and then along the right side of the screen you will see an area where you can turn on automatic updates.
- Make sure that you’re using the most current version of IE (currently IE8). If you use Automatic Updates with Windows Update, or otherwise keep you system current, you probably already have IE8. If not, go get it from Microsoft.
2. Secure the Internet Zone
The next step is to prevent web sites from running malicious scripts, or performing other bad stuff, while using Internet Explorer. From within IE, click on Tools > Internet Options. Click on the Security tab, and then select Internet (the big globe). Under “Security level for this zone,” drag the slider all the way up to High, and then click Apply.
3. Secure the Local Zone
In the same window, click on the Local intranet icon (just to the right of the Internet globe in the Security tab). Just as you did in Step 2, above, drag the slider to High. If you don’t see a slider, you will first need to click the “Default level” button, and then drag the slider to High. Click Apply when finished.
4. Add Exceptions
Internet Explorer is now fairly secure, but will be a real annoyance to use. Many sites won’t function properly now. You’re not using it for your primary browser, though, so you don’t care too much, right? Certain essential sites, though, such as the Windows Update site, may be broken too.
To fix this, click the Trusted sites icon, which is found in the same window you’ve been working in for steps 1 to 3. It’s the setting with the big green checkmark. Then, click the “Sites” button. In the Window that appears, make sure that there is no check in the box next to “Require server verification (https:) for all sites in this zone.” You then will need to add eight sites to this zone. Type each of the addresses below, one at a time, into the “Add this . . . ” box, and then click the “Add” button. The eight seven (thanks to reader Steve Broshears for pointing out that the original list had a duplicate) sites are as follows:
- http://*.windowsupdate.microsoft.com
- http://*.windowsupdate.com
- http://update.microsoft.com
- https://update.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://download.windowsupdate.com
http://update.microsoft.com
** February 21, 2013 Update: Steve has subsequently emailed me to let me know that Windows Update gave him an error message when setting the level to max, and told him that he needed to set these five addresses to trusted:
- http://update.microsoft.com
- https://update.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://download.windowsupdate.com
Once you’ve added all eight seven to the list, click close, and then click OK. Entering all eight could be overkill – on one of my machines, I only needed to enter the first two of these addresses. On my netbook, though, I was prompted for the remaining six five after entering the first two, and trying to run Windows Update.
Implement these four steps, and Internet Explorer will be much more secure. Do you have any other tips for locking down Internet Explorer?
