Debugging problems with IE Security Zones

Internet Explorer has quite a complex security model compared to other browsers. One unique feature is the infamous Security Zone. Zones apply different policies to code based on the URL. By default, you have the following zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer.

IE Zones Dialog screenshot.

Each of these zones has a slightly different con­fig­u­ra­tion depending on the intended usage. For example, the Internet zone is designed to handle untrusted code from the internet. The settings are locked down tightly, and recent versions of IE run this code in a sandbox with Protected Mode.

Compare this to the Intranet zone which has a more relaxed con­fig­u­ra­tion. If a URL is included in this zone it is considered to be trusted to a greater degree than one in the Internet zone. IE will even respond dif­fer­ent­ly to au­then­ti­ca­tion requests for sites in the Intranet zone to support Windows Au­then­ti­ca­tion (see IWA, NTLM, Kerberos, and SPEGNO.)

Everything is fine and dandy when your ap­pli­ca­tion has code that only loads from URLs belonging to a single zone. However, things will start to go pear-shaped when you have code loading from different zones. The exact behaviour will depend on your ap­pli­ca­tion, but you'll often see in­con­sis­tent behaviour between en­vi­ron­ments. The ex­pla­na­tion for this is often the ap­pli­ca­tion of group policy resulting in different con­n­fig­u­ra­tions across machines.

So how do you go about debugging these issues? My approach is to start with the following:

  1. Make sure the problem only happens in IE. Doing this will save you a lot of pain as debugging with the Chrome developer tools is often a more pleasant experience than using the IE tools.
  2. Identify all of the domains hosting your code. Understand what zones contain your host page, and which ones contain other scripts or code that you are pulling in.
  3. Tem­porar­i­ly move all of the code into a single zone. If you move all of your code into a single zone for testing you can confirm whether Protected Mode issues are at the heart of your problem. You may need to tweak some IE zone settings to get the features you need, but it's a good start.
  4. Disable com­pat­i­bil­i­ty view. Sites in the Intranet zone use this feature by default, and it can cause problems. Tem­porar­i­ly turn it completely off for the Intranet Zone so that that things are consistent across zones.
  5. Use IE Zone Analyzer. This tool allows you to review the con­fig­u­ra­tion of zones in great detail, and help with bugs that only appear in certain en­vi­ron­ments. It is available for free from Microsoft.

IE Zone Analyzer screenshot.

At this point you'll be in a better position to debug specific code in IE, but how do you remediate the problem? Well you have to make a change somewhere. It is common for admins to add wildcards like *.domain.com to the Intranet zone. Naturally this will not dis­crim­i­nate between Intranet sites, and cause a lot of problems if you have modern code that doesn't run well under Com­pat­i­bil­i­ty View. Try to educate your admins on the ap­pro­pri­ate con­fig­u­ra­tion so that your en­vi­ron­ment will be more secure, and you'll also spend less time debugging!

Tagged with internet-explorer, javascript and debugging.