Determining When to Modify Security Policy
You do not necessarily need to modify the default security settings. For many situations, the default security settings provide an adequate level of protection. Code that does not originate from the local computer (and is therefore likely to be less trustworthy) receives restricted access to protected resources under the default security policy. Code originating from the Internet and local intranet is restricted in the following ways:
- Code that originates from the Internet or local intranet does not have permission to read or write to a local drive.
- Code that originates from the Internet or local intranet does not have permission to read or write to the system registry.
- Code that originates from the Internet or local intranet can communicate with the Web site of origin.
- Code that originates from the local intranet has unrestricted access to UI elements, but code originating from the Internet only has access to sub windows and the Clipboard.
The default security policy is adequate for most, but not all, situations. You should consider modifying security policy when:
- You want to trust an application that requires more permission than the zone from which it originates receives by default.
- You use applications from a particular publisher that you completely trust and want these applications to have access to specific resources no matter where they are executed.
- You want applications on the local computer to have less than full trust. For example, you are an enterprise administrator and you want to prevent users from installing and running untrusted applications.
If you decide to edit policy, you must make sure that you do not decrease permission to applications to the point that they will not function properly.