Browser Security: Strategies, Tactics, and things that go KRUUMMP in the Night...
Once you have secured your default Windows Internet Security settings with DrawBridge, only the web sites that you designate as Trusted Sites, will be able to run scripts or plug-ins. The fraudster who sends you a link that looks like a Trusted Site but really goes elsewhere won't be able to run scripts unless you let him/her. Neither will the advertiser using a frame to display their content on a Trusted Site, unless the advertiser's site is a designated Trusted Site. This means no more third party popup screens - only a site designated as a Trusted Site can run a popup on a DrawBridge secured system.
So you're logging in to your Trusted provider, when "KRUUMMP!"; an ActiveX plug-in is flagged and a message states that the site won't be viewed or function correctly without the plug-in. No sweat! If DrawBridge has secured your settings, and the provider is designated as Trusted, then the ActiveX plug-in is not from your provider, but may be from one their advertising clients: Someone who is not on your list of Trusted sites, and has absolutely nothing to do with the functionality of your provider's web site. Always check the security certificate confirmed by a picture of a closed padlock near the bottom right corner of your browser - and NOT on the web page itself!
The occasional third party plug-in flag can be annoying, but it is much better than exposing yourself to third party hackers and virii! Go ahead! Thumb your nose at them. By shutting down client-side scripts and plug-ins, you are effectively holding the narrowest gap in the terrain. Sure, you can let some sites through, but it is far easier to keep people out of your computer if you do not allow remote, un-scanned code to be run in the first place.
Sometimes you might trust a site, but one of their programmers was born with six legs and writes very buggy code! If the problem exists with a specific sub-domain, to avoid the error messages, using the Advanced classification, you can list a specific sub-domain and domain in addition to listing the identical domain. In this case you would trust the domain, but restrict the specific sub-domain and domain. The result is that whatever comes from the site in question but not from the restricted sub-domain will be allowed to run code, but whatever comes from the restricted sub-domain won't be allowed to run any code on your computer. This sets One Trusted Site minus the problem sub-domain!
Perhaps you have a site you trust enough to login and fill out some forms, but the volume of site popups is annoying in the extreme. In this case, you designate the domain as restricted or declassified (or don't even bother) and only designate the login sub-domain (and any other sufficiently desired sub-domain of the site) as Trusted (using the Advanced Button). The result is to preserve functionality only where it is needed, and minimise the popups as much as possible.