web browser security zones

[Kevin Shalla <kshalla () UIC EDU>]

This prompts me to ask about web browser security zones.  Does anyone
make substantial changes to the default IE security zone
security?  How effective is this?  We make a few changes (adding
certain sites to the trusted sites and granting certain extra access
in that zone), but not much.  Do other browsers have such detailed
settings by security zone?  It appears that Firefox has very little
granularity (just load images and popups) in the security setup.

At 11:54 AM 1/10/2006, David Gillett wrote:
>   I recall that, a few years back, it was common for Microsoft
> to downplay IE bugs with this "must get user to visit a
> suspicious site" argument.
>   And then some hacker crew broke into a hosting company and
> defaced 500+ legit websites, adding code that exploited some
> of those vulnerabilities.
>
>   The notion that users can have any real idea, a priori, about
> the actual safety of any site is just false.
>
>   [On average, I'd agree that some sites are *more likely* than
> others to be booby-trapped, and that factor may have its place
> in the policy and "user education" sides of security management.
> But I don't think it's really useful in assessing the severity
> of a vulnerability.]