IE7 and Intranets



November 16th, 2006 by Kat Kingsley-Hughes

Question: I have installed IE7 what happened to my Intranet?

Internet Explorer 7 is a whole new ball of wax in many ways.  Some things which we took for granted before are now complex.  One of these, that I suspect is going to particularly irritate corporate users, is the change in how the browser looks at intranets. 

What is an intranet?  Well an intranet can be a lot of things, but put simply it means HTML documents that are stored on a computer that you are networked to.   This is very useful where staff members need to be able to share information and over the years a great many intranets were set up this way.   All you had to do was share a folder on your system and specify who had access to it, create a few HTML documents containing the information you wished to share (such as an internal phone number list or help files for software) and bingo you had an intranet.  This is useful in the corporate environment, the SOHO (small office/home office) environment and even in the home (for example a photo album made into a small web of linked HTML pages).

Whilst being able to access a web page in this way was very useful, it did have potential dangers in that any web document download from the internet and saved onto a shared resource was potentially virus laden and made the browser vulnerable to spoofing of the intranet zone by malicious applications.  So that’s all been changed with IE7 and the first you’ll notice of that is if you try to access your intranet you may get a warning

‘Intranet settings are now turned off by default. Intranet settings are less secure than Internet settings. Click for options …’ 

If you’re on an intranet that is part of a domain Internet Explorer 7 should detect this automatically and adjust settings accordingly. If however you’re on a simpler kind of network where resources are shared via UNC paths it won’t be detected until you try to access it, when you’ll get the warning below. 

Intranet settings are now turned off by default. Intranet settings are less secure than Internet settings. Click for options …
(click to enlarge image)

Clicking for more options doesn’t give you much clarity as to what it all means: 

Enable Intranet settings

Don’t Show Me this Again – Setting it not to remind you again is probably the simplest and easiest option – after all we’re clicking not to be reminded about stuff all day long! – especially if you’re not sure what type of intranet you have (or indeed if you have one at all!).  If you find something doesn’t work later on, you can always follow the settings below to enable intranet settings. 

What this will means is that web pages in your local intranet are regarded as if they are on the internet - with the higher level of security (and correspondingly lower level of privileges, access to your file system etc ).

Local Intranet in the Internet Zone on IE7

Enable Intranet Settings – So if I have an intranet should I enable Intranet Settings?

Intranet settings use a less secure level than the Internet.

What you do next depends, I would say, on what sort of information your intranet holds and how it works. If you use complex forms to fill in information or use plug-ins, ActiveX controls or anything that accesses the file system you’ll probably want to bring that into the Intranet Zone (because if the browser looks at it as the Internet Zone things might not work as you want them to, due to the higher level of security).  In that case you would click on the ‘Enable Intranet Settings’ button. 

You’ll also be able to get back to this setting if you choose the other option by going to ‘Tools’ > ‘Internet Options’ > ‘Security’ and choosing the ‘Intranet Zone’ there. 

Internet Options, Local Intranet zone
(click to enlarge image)

From there click the ‘Sites’ button and uncheck the ‘Automatically detect intranet network’ checkbox.

Automatically detect intranet network
(click to enlarge)

What this will means is that IE7 will take your local intranet pages and place them in the local intranet zone with a lower level of security (and a correspondingly higher level of access of what those pages can do).

Your pages are in the Local Intranet zone

It’s a lot to take in.  I feel I must draw a simple conclusion (after all you’ve read through a lot here!) the bottom line is that unless your intranet contains complex scripting, ActiveX controls etc, leave it in the Internet Zone. 

Note about Sites bypassed in Proxy Server settings
The new intranet detection system is also by default set to consider sites  that are excluded from your proxy server as being Intranets. (You’ll find these listed as ‘Exceptions’ under ‘Tools’ > ‘Internet Options’ > ‘Connections’ > ‘LAN Settings’ > ‘Advanced’.)  It’s important to realize however, that a website that is known and administered by you is still potentially dangerous to you it, for example if that site was hacked.  Seems a strange assumption to make that sites you bypass from a proxy would be automatically considered safe, but perhaps it’s a necessary assumption for corporate users on domains.  For intranet users who are not on domains it’s probably better to keep those in the Internet Zone.

Automatically detect intranet - include all sites that bypass the proxy server

Symantec Norton AntiVirus 2007

This entry was posted on Thursday, November 16th, 2006 at 7:44 pm and is filed under Browsers, Your Questions Answered. Both comments and pings are currently closed.

7 Responses to “IE7 and Intranets”

  1. IE7 and intranets » The PC Doctor Says:

    [...] Kathie  looks at how security changes in IE7 affect intranets over on her blog Vexentricity. [...]

  2. Kalman Says:

    best explanation! thnx

  3. Patrick Says:

    Well, I sort of understand. I am on a 'LAN" with my wife's computer at the house. She asked me how to create a hyperlink in an Email. I showed her how to do it and she Emailed me a test message so I could verify it was working. When I clicked on the link she sent, a new browser window appeared and a seperate error message appeared instructing me to connect to my dial-up connection. (I am using a broadband internet connection). The URL of the link appeared in the address line of the browser, but the browser window was set to "work offline" and I couldn't get it to connect.

    An information bar appears: "Intranet settings are now turned of by default. Intranet settings settings are less secure than Internet settings. click for options...."A blank page displays.

    I didn't know I had an intranet or an UNC path. What is the difference between an intranet and a LAN?

    Well, I'll have to see if I can fix this....

    Pat,

    Tijuana, Mexico

  4. Sam Says:

    Thanks Kathy. I think you saved me from getting infected or hacked - I was trying out a new proxy tool and this message popped up. The author of the tool had suggested that you should turn ON the intranet settings. If I hadn't read your article, I probably would have too!

  5. Jeff Says:

    Isn't this a little insecure. Doesn't it mean that anything dropped on a UNC which could be launched from within a web site (//102.245.112/DoSomethingVeryNasty) would have elevated privleges? Could this be opening a big hole in your computer security?

  6. Phil C Says:

    The thing that creates confusion for me is the phrase "Intranet settings are turned off"
    There are 'settings' for EVERYthing, and to say that "settings are turned off" seems to be an impossibility.
    It seems the same as saying there are no longer any settings for the intranet, or your settings have been frozen at whatever they were when they were "turned off".

    Does it instead mean that access to my intranet by means of Internet Explorer has been disabled?
    Or..
    Does it mean that access to my intranet by Intenet Explorer is now unlimited, because 'intranet settings" (IE's awareness that there is an intranet?) are now turned off?

    Microsoft's obscure phrasing and terminology are outrageous.

  7. Phil C Says:

    I meant to add ...
    If "intranet settings are turned off" means access to my intranet via IE is disabled, thats fine.
    It would be nice if they used normal language.
    Something like:
    "Intranet access by Internet Explorer has been disabled by default. Click for options..."
    That is.. if i am right about what it means ... sheesh.

%d bloggers like this: