Sunday 01 February 2004

Hacking Internet Explorer's "My Computer" Zone

Courtesy of the folks over at news://

One way round the Windows XP Malicious Folder bug is to tighten the "hidden" Internet Explorer "My Computer" Zone. This is because the "Proof of Concept" on that page relies on the ActiveX Controls on the "My Computer" zone being enabled before it can work; disabling all ActiveX controls in the Internet Zone has no effect on Windows XP boxes and you will still be vulnerable to the bug.

If you have taken a peek at the "Security" Tab of Internet Explorer's Options, you know that there are 4 zones listed: The Internet Zone, The Local Intranet Zone, The Trusted Zone and the Restricted Zone. What you may not know is that there is also a "My Computer" zone which is hidden by default and in order to lock it down, you need to know how to unhide it first:

But why is there a need to have a "My Computer" zone in Internet Explorer? Apparently, it has something to do with the decision to integrate Internet Explorer with the Operating System, the idea was to have a sandbox between the Internet Zone and the Computer Zone but this has not worked out in practice and will hopefully be rectified in Windows XP Service Pack 2

This article assumes that you are using Internet Explorer as your main browser but even if you aren't, providing you are using Windows, I think it is a good idea to lock down the Computer zone now if you do not wish to wait till Windows XP service Pack 2 which may or may not lock it down.

Related Reading: Internet Explorer Security Zones

Related Reading: The Registry