This post is about a security setting that is often underestimated in its ability to enable serious harm when relaxed. But relaxing it is exactly what I often see being done in enterprise environments. The risk is real that anyone who has any control over any content on any web server in those security zones could easily and surreptitiously take complete control of visitors’ computers and user accounts, and in a way that could be difficult or impossible to trace. You should make sure the setting is disabled. Full details (and demo) in the blog post.
IEZoneAnalyzer version 3.5 adds a Zone Map Viewer that shows which web sites have been specifically assigned to security zones and whether the assignment is effective.
Documents previously undocumented aspects about how explicit site-to-zone mappings are processed (including bugs), which registry keys contain effective settings and which are ignored, and describes the “ZoneMapKey” which is often mistakenly thought to be more interesting than it is.
"AlwaysInstallElevated" is a risky Group Policy setting that has escaped the notice of the security community up to this point. This post describes and demonstrates the risks with screenshots of a proof of concept.
If you stick with the Windows defaults wherever possible or industry-standard configurations such as the Microsoft Windows security guidance or the USGCB, and use proven enterprise management technologies instead of creating and maintaining your own, you will increase flexibility, reduce costs, and be better able to focus on your organization's real mission.
A utility to compare IE security zone settings and to see the effective settings for an IE security zone.
Java's old application-compatibility model of supporting multiple side-by-side JRE installations is unsafe and no longer tenable. Oracle now recommends having only the latest JRE installed and uninstalling all older versions.