This post is about a security setting that is often underestimated in its ability to enable serious harm when relaxed. But relaxing it is exactly what I often see being done in enterprise environments. The risk is real that anyone who has any control over any content on any web server in those security zones could easily and surreptitiously take complete control of visitors’ computers and user accounts, and in a way that could be difficult or impossible to trace. You should make sure the setting is disabled. Full details (and demo) in the blog post.