Zone-Spoofing Fixed for IE 7 Home Users

BeanBunny writes "The IE 7 dev team has essentially removed the intranet zone for Home users, resulting in a Web browser that is effectively invulnerable to a zone-spoofing attack. This security feature does not exist, however, on any installation that is part of a managed network. It also does not exist if you manually change the permissions on your Internet zone. However, in Windows Vista, both zones will be run in a 'protected mode,' something that allegedly prevents the invisible installation of code."

Code signing will finally be more effective

[stonebeat.org]

I like this move. Code signing of Active X controls will be more effective, since all code will have to signed before execution. Plus I.E. 7 has capability to create Whitelist of certain trusted signers, and reject everything else. See Do you Code Sign ??? for more details.

Re:Remove the Internet Zone too

[Cheapy]

"No browser is safer that IE if you prevent it from accessing a network!"

Oh, I'm sure someone will still find a way.

Vista is taking a page from *nix

[wyckedone]

IE7 is supposed to run in a fully protected mode by default. The protected mode is similar to a non-root user in *nix so that non-admin user programs do not have access to modify system files or settings. This is supposed to prevent spyware/adware that hooks into Windows processes and keep something one user may install from affecting other users of the system.

Slowly but surely MS is learning a few good tricks from the Linux crowd.

So we know that security will be covered in Vista

[mattyohe]

But where is the innovation?

I'll be honest, I haven't followed the Vista track that closely, but I have yet to hear of any evolutional or even revolutional features that I can look forward to. I read the slashdots and the diggs of the internet so, are these sources too Google and Apple happy to report on the Windows front? Or is there simply nothing to report?

Other than Metro and their attempts at making their OS work like Tiger, what is left?

Don't say security.

How about...

[nurb432]

How about they just fix the damned holes instead?

This is about as bad as putting duct tape over the rusted out holes in an old car: "see, its all better now"

A ploy to force upgrade of corporate networks?

[giuntag]

The funny thing is all corporate networks that have no windows domain fully deployed yet will be in big trouble, unless the admins deploy some extra security policy that switches back intranet sites to the local zone. Otherwise no activeX, stuff will get broken, etc...

(from the IE blog: only pc;'s connected to a domain will have a local zone enabled)

Looks more like a ploy to force all corporate users to move to active directory asap...

Sadly, the slashdot crowd WANTS IE to be insecure

[I'm+Don+Giovanni]

All of the snide remarks in this thread indicate that most of you hate any improvement in IE for fear of losing some of your anti-M$ ammo. Deep down in your hearts, you WANT IE to be insecure, you WANT Windows to be insecure, you WANT Vista to bomb, just like you LOVED Win9x crashes. The fact is, Microsoft is addressing their security problems, just as they did their stability problems, and that scares you guys to death.

You lost your stability argument, and slowly but surely, you're losing your security argument (the last major security outbreak happened back in 2003, and things will only get worse for you in Vista, where the default accounts are non-admin). Face the facts that you're going to have to find another argument ("free, as in beer", I suspect).