Debugging problems with IE Security Zones

Internet Explorer has quite a complex security model compared to other browsers. One unique feature is the infamous Security Zone. Zones apply different policies to code based on the URL. By default, you have the following zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer.

IE Zones Dialog screenshot.

Each of these zones has a slightly different con­fig­u­ra­tion depending on the intended usage. For example, the Internet zone is designed to handle untrusted code from the internet. The settings are locked down tightly, and recent versions of IE run this code in a sandbox with Protected Mode.

Compare this to the Intranet zone which has a more relaxed con­fig­u­ra­tion. If a URL is included in this zone it is considered to be trusted to a greater degree than one in the Internet zone. IE will even respond dif­fer­ent­ly to au­then­ti­ca­tion requests for sites in the Intranet zone to support Windows Au­then­ti­ca­tion (see IWA, NTLM, Kerberos, and SPEGNO.)

Everything is fine and dandy when your ap­pli­ca­tion has code that only loads from URLs belonging to a single zone. However, things will start to go pear-shaped when you have code loading from different zones. The exact behaviour will depend on your ap­pli­ca­tion, but you'll often see in­con­sis­tent behaviour between en­vi­ron­ments. The ex­pla­na­tion for this is often the ap­pli­ca­tion of group policy resulting in different con­n­fig­u­ra­tions across machines.

So how do you go about debugging these issues? My approach is to start with the following:

  1. Make sure the problem only happens in IE. Doing this will save you a lot of pain as debugging with the Chrome developer tools is often a more pleasant experience than using the IE tools.
  2. Identify all of the domains hosting your code. Understand what zones contain your host page, and which ones contain other scripts or code that you are pulling in.
  3. Tem­porar­i­ly move all of the code into a single zone. If you move all of your code into a single zone for testing you can confirm whether Protected Mode issues are at the heart of your problem. You may need to tweak some IE zone settings to get the features you need, but it's a good start.
  4. Disable com­pat­i­bil­i­ty view. Sites in the Intranet zone use this feature by default, and it can cause problems. Tem­porar­i­ly turn it completely off for the Intranet Zone so that that things are consistent across zones.
  5. Use IE Zone Analyzer. This tool allows you to review the con­fig­u­ra­tion of zones in great detail, and help with bugs that only appear in certain en­vi­ron­ments. It is available for free from Microsoft.

IE Zone Analyzer screenshot.

At this point you'll be in a better position to debug specific code in IE, but how do you remediate the problem? Well you have to make a change somewhere. It is common for admins to add wildcards like *.domain.com to the Intranet zone. Naturally this will not dis­crim­i­nate between Intranet sites, and cause a lot of problems if you have modern code that doesn't run well under Com­pat­i­bil­i­ty View. Try to educate your admins on the ap­pro­pri­ate con­fig­u­ra­tion so that your en­vi­ron­ment will be more secure, and you'll also spend less time debugging!

Tagged with internet-explorer, javascript and debugging.

First impressions of Windows 7 Beta 1

After a very quick install on a Dell XPS M1710 laptop, and a few hours of messing around, I have come to the conclusion that this is going to be the best release of Windows yet. At the same time, it's not very exciting for the alpha geek in me. Perhaps it is good to have regular stable releases and leave the fireworks to user ap­pli­ca­tions?

Before I list some of the things that I like, or didn't as the case may be, I have a tip for anyone trying to get Aero running on the M1710. For some reason, Beta 1 doesn't have drivers in the box for the NVIDIA GeForce 9700M GT. Just download the mobile drivers from the NVIDIA website and install the Vista version using the "Have a disk..." option. Ignore any warnings about com­pat­i­bil­i­ty, the Vista drivers are close enough and I would expect NVIDIA to release some beta drivers for Windows 7.

What I liked

Per­for­mance im­prove­ments

This has been a problem for a large number of Vista users and Microsoft have made big strides according to my un­sci­en­tif­ic testing. Little things like searching for programs on the Start menu is noticeably quicker than Vista on the same machine. No doubt anti-virus vendors are working on ways to reduce the per­for­mance.

System protection

You can now reserve a percentage of disk space to storage of old versions of user and system files (just like Recycle Bin has done since Windows 95). This is something I would want to increase for someone like my Mum.

Task bar ap­pli­ca­tion in­te­gra­tion

The thumbnails introduced in Vista are now more useful since you view individual tabs in an ap­pli­ca­tion like Internet Explorer 8. When you have a long running task like a file copy, the progress is shown directly on the task bar when minimised.

Easier wireless network access

Clicking the network icon in the task no­ti­fi­ca­tion area now shows a list of network con­nec­tions. This makes it much easier to connect, and is similar to the experience in Apple OS X.

No­ti­fi­ca­tion area grouping

I find the pollution of the task no­ti­fi­ca­tion area to be a real pain. Every ap­pli­ca­tion thinks it belongs there and needs to be visible. With Vista you could force some items to be hidden, in Windows 7 they are grouped under a single icon. It only takes simple stuff to improve the overall experience.

Requires more thought

Taskbar ap­pli­ca­tion iden­ti­fi­ca­tion

So is Internet Explorer running, or do you have a shortcut pinned to the task bar? It's hard to see on the task bar, but I can see the rationale for this design decision. It would be nice if there was an option for clearer iden­ti­fi­ca­tion, such as the name of the ap­pli­ca­tion appearing on the task bar. I suspect more use of Windows 7 will result in a change in my ex­pec­ta­tion for this aspect of task bar operation.

IE 8 rendering issues

There is a still a lot of work to do here. I suspect that a lot of people will enable com­pat­i­bil­i­ty mode to enable sites to load. One site with problems was GMail (I'm using Google Apps for e-mail).

Tagged with internet-explorer, task-bar, dell, geforce, nvidia, review, windows and windows7.