Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
The Officially Unofficial ShieldsUP! FAQ
If you've grown tired of my voice and writing style on this site, I think you'll find the following to be a refreshing change! The text of this page was created by a terrific group of volunteers participating in our newsgroups. Led by Chris Baker, they have produced a fabulous introduction to Internet security and a resource that has a decidedly different "spin" from mine. I think you'll really enjoy reading what Chris and his group have assembled.

Why YOU REALLY NEED TO READ this long page . . .

Since all participants in a newsgroup discussion see everything that everyone else posts, newcomers create a bit of a problem when they ask the same "standard" questions that have already been answered hundreds of times before. As you can imagine, everyone else grows quite tired of seeing the same questions.

So, it has become a tradition within newsgroups for a group of volunteers to create and periodically post a Frequently Asked Questions (FAQ) file. Now that such a file exists (below) anyone asking a "standard question" will simply be told to "go read the FAQ".

Since the following page really is a distillation of our experience in the ShieldsUP! forum, if you will take a few minutes to READ IT FIRST you will probably find that your question has already been answered right here.

I can guarantee that you will learn an amazing amount more than what you may have already discovered throughout the rest of my site. And IF your questions should survive this reading, they, and you, will be welcomed into the ShieldsUP! forum and greeted with deserved respect.

And, finally . . . I really think you'll enjoy this!  (It's quite funny.)

Please direct any suggestions, tips, tricks, or fan mail,
regarding this FAQ to its author and maintainer,
Chris Baker at:

ShieldsUp! Newsgroup
Frequently Asked Questions
Written and Compiled by Chris Baker
Version 1.14 - 16 April 2000

Please note: If you wish to contact me with errors, omissions, or suggestions regarding this FAQ, feel free to e-mail me at, and I will try to get back to you within 72 hours. However, if you have general questions or technical support issues regarding ShieldsUp!, or anything else for that matter, I regret that I have neither the time nor the resources to assist you directly. Please contact ShieldsUp! technical support at , or better yet, post your question in one of the ShieldsUp! newsgroups. Many friendly people (including me) frequent those forums, and will be more than happy to assist you. In addition, you may find the answer to your question there without having to ask it (please look before posting, lest you get flamed), and once your question is answered, everyone can learn from your experience. I'm sorry, but I just don't have the time to try to individually assist people who write to me with their technical support problems. If you send me such an e-mail, you will probably receive no response. Also, if you have any desire at all to get a response from me (or ShieldsUp! support for that matter), don't send e-mail with a mungled anti-spam return address. I have yet to sell any e-mail addresses to spam companies, and I don't intend to start now. However, I do not have the time to manually-edit your e-mail address.

Table of Contents


This FAQ came into being on 29 February 2000, primarily because I got tired of answering the same few questions over and over again. Everybody was thinking it, but nobody really had the guts to cry out for a FAQ. (As I was more or less sitting on the first draft, several others did speak up for a FAQ, and one user, Fast Turtle, actually wrote one.) The first version of this document was composed pretty much in one afternoon sitting, thus the conversational tone. It's not a traditional FAQ, per se, but more of a "discussion" to bring the newbie up to speed.

Right now, it basically represents a compilation of what I know about internet security, with the excellent comments of several others thrown in. My hope is that it will grow to become a compilation of what we know about internet security. Obviously, I need your input to make that happen.

This document isn't intended to replace the excellent material on the ShieldsUp! site, or duplicate what's already in the ShieldsUp! FAQ. Rather, it's meant to supplement both by answering questions which pop up in the newsgroup time and again because they're not answered on the ShieldsUp! site.

Many thanks go out to the individuals who helped me refine the pre-release version of this FAQ. They made no bones about telling me exactly what they liked a lot and what they thought was really stupid regarding my original document. Their suggestions have also become some of the first expansionary topics addressed here. In no particular order, I want to acknowledge the contributions of Bob Anderson, Martin Paquet, Jim Crowther, Nils Grotnes, Brett Turcotte, Johannes Niebach, Robert Wycoff, Adam Hill, Adrian Mink, John Underwood, Stephen Martin, Rebeccah Prastein, Milly Peters, Kevin Alexander, Dave Moose, Mark Rowan, and Phil Youngblood. In addition, where I have taken posts verbatim from the newsgroup, the author is identified, and my thanks is implied.

In particular, Robert Wycoff is primarily responsible for gently prodding me about once a week to get off my butt and finish this FAQ so we can all stop answering the same questions. His nagging, along with my own small sense of guilt, prompted me to pull a college-style all-nighter on 30 March, and get a near-working prototype out the door. I haven't really done that since my senior aerospace design project in 1997. Are you happy now, Robert?

Additionally, everyone on the GRC newsgroups is responsible in one way or another for what those forums have become. With each post, becomes an even bigger repository of knowledge, and I get more material to put into this FAQ.

I also want to thank Dave Moose, a.k.a. "Dave" for helping to inspire me to write this FAQ. Dave is a great guy who could teach us all a thing or two about how it was "back in the day," but he was having a couple of problems getting up to speed on some of the stuff we were discussing in the newsgroup, and was thus a "newbie" in that sense. Dave's proof positive that with a little nudge, one can transition from asking silly questions on the newsgroup to answering silly questions on the newsgroup. That's exactly the conversion this FAQ is designed to catalyze.

Finally, I'd like to thank Steve Gibson. Without his tireless work and truly selfless dedication to spreading the word about internet security, few of us would even know enough to ask the "newbie questions."

General Questions About This FAQ

Q. What is this?
A. It's a FAQ.

Q. Oh, what's an "F.A.Q.?"
A. It's not an "F.A.Q.," it's a FAQ. It rhymes with "whack." It's short for Frequently Asked Questions. If you're looking for the answer to something and you find it in here, pray that you didn't already ask your question in the newsgroup.

Q. Why's that?
A. Because people will flame you and tell you to "check the FAQ."

Q. Oh... What's a "flame?"
A. Look, as much as I'd like to teach you everything about the internet in this FAQ, I simply can't. I suggest you look elsewhere for that sort of mundane question. This FAQ is about ShieldsUp! and related net security topics. Get it?

Q. Okay, okay, you don't have to be such an ass about it.
A. I was just trying to illustrate what a flame is.

Q. I'm sorry, I didn't realize.
A. Of course you didn't, you're a newbie.

Q. What's a "new..."
A. Don't ask.

Q. Jeez, why did you write this FAQ in such a sarcastic and abusive style?
A. I don't know, that's just the way I am I guess. Don't take it personally. I do try to include a lot of knowledge in addition to my sarcasm. You have to take the good with the bad, I guess. Think of it this way--making fun of you guys makes this worthwhile to me. If I weren't allowed to make fun of newbies in my FAQ, I'd have to charge for it or support it with advertising. This way, you get it for free.

Q. You know, lots of people write FAQ's and distribute them for free, and they don't berate their readers.
A. Oh yeah, name two.

Q. Look, I can't name them, but what I'm trying to say is that some people do it out of pure philanthropy. They enjoy the giving. They enjoy taking young newbies under their wing and passing information on to them.
A. I'm sorry, but I don't. I need to get some sadistic pleasure out of it. Besides, who wants to read a dry, boring FAQ? Nobody. So if I write a dry, boring FAQ, nobody will read it and it won't reduce the number of Frequently Asked Questions. Let's change the subject.

Q. OK, where can I find the latest version of this FAQ?
A. The latest version will always be available at It may also occasionally be posted in its entirety to Steve's ShieldsUp! newsgroup.

Q. What if I want to view it offline?
A. Okay, I got so many requests for this, you may now download everything you need to view the FAQ offline in convenient ZIP format at Make sure you preserve folder information during the un-ZIP.

Q. Who's "Steve?" Why does everybody keep referring to "Steve?"
A. "Steve" is Steve Gibson, the creator of the entire ShieldsUp! web site, and plenty of other things. You should really browse around a little bit before you come to the newsgroup. You're really scaring me with your utter lack of basic knowledge.

Q. Is it possible that after I read the FAQ and exchange ideas with people on the newsgroup that one day I might know the answer to a Frequently Asked Question?
A. I suppose it's possible. I mean anything is possible.

Q. Well, hypothetically speaking, if I were to someday learn the answer to a Frequently Asked Question that's not already in the FAQ, how could I contribute to it?
A. Oh, I see where you're going with this. You can send your question and a detailed, correct answer to me via e-mail at: Please be sure to include liberal quantities of sarcasm in your answer. If you don't, I'll have to add it myself, and I charge extra for that.

Newsgroup Netiquette

Q. When I reply to someone's message, the stuff in his message is also put into my reply. What's the deal with that?
A. That's called "quoting" and it's put there for several reasons. First, you can easily refer to the original author's text when writing your response. Second, you can leave some of his stuff in there to add context to your message. That way, people won't have to go back and forth to see what you're replying to.

Q. Wow, what a great idea. I love context. I think I'll leave his entire post in there.
A. Bad idea. Really, we all saw his signature the first time. We know what it looks like. We don't need to see it again. Please cut out the parts that aren't relevant to your reply. It is also good practice to avoid "double-quoting"--quoting the author's quote of the guy before him. Don't do this unless what that guy said is also quite applicable to the context of your reply.

Q. OK, I see the error of my newbiefied ways now. By the way, is it better to place my message before or after his quoted message?
A. That's a matter of some debate, and is not likely to be resolved any sooner than the PC vs. Mac or Windows vs. Unix battles. Most newsreaders put your response before the quote by default, and you'll find that when someone puts his stuff after a quote, things can get real confusing real quick, especially when the quote whores start double- and triple-quoting. Also, most newsreaders have a preview pane. If you put your new message first, it allows users to see what's new right away. If they need context, they can scroll down to the other guy's stuff. The bottom line is that whatever you do, you're going to piss off somebody. The most important thing to keep in mind is to only quote what's important to establish the context of your reply. I can't emphasize this point enough.

Q. So you're saying I shouldn't quote some guy's entire three-page post just to say "I agree" or "me too" at the bottom?
A. Now that this FAQ is out there, if you do, I will most definitely flame you. Remember that Steve is running this news server at his expense. Not only does that mean that we use up his hard drive space, a few kilobytes at a time, for every message we write, but it also means we suck up his bandwidth for every message we send and receive. If you put a 1 kb message after 14 kb of quoting (I'm not making this up--somebody actually did this), you're making that message 15 times bigger than it has to be. Now you may say, what's 15 kb? Remember that lots of people besides you read this newsgroup. If 500 people download that message, that's 7,500 kb or 7.3 megabytes that gets transferred. That's nearly 7 MB more than was really necessary for that little message. Multiply that times the number of messages like this, and you start to see the magnitude of the situation. It's a courtesy thing, not just for Steve and his equipment, but for the 500 poor saps that have to scroll through three pages just to discover that you agree with all of it.

Q. Sometimes I see people intermixing their text with quoted text. Is this okay?
A. Sure, if done correctly. If someone has asked several questions, it is often more clear to quote his question and then follow it with your answer. This is certainly better than giving an answer like: "1. Yes, 2. No, 3. Yeah, 4. Maybe." That kind of response doesn't help anybody.

Q. But you said to put your text above the quoted text.
A. Whose FAQ is this? You must be some kind of lawyer. We don't like lawyers around here. Seriously, though, the point of the mixed quoting is to see the question followed by the answer. This is an exception. We're not playing Jeopardy! here--nobody wants to see the answers before the questions.

Q. What if I cut the other guy's post in a manner that truncates what he's saying and takes his remarks out of context, potentially skewing his meaning?
A. Don't do that. If it's at all unclear, the phrase "[SNIP]" is a pretty good indication that you cut something. If you play it right, you can even get in a friendly jab here: "[INCESSANT RAMBLING LIBERALLY SNIPPED]" or something along those lines.

Q. My newsreader gives me the choice of posting messages in "Plain Text" or "Rich Text." Why would I ever want to use "Plain Text?" It seems like "Rich Text" would be a lot more attractive.
A. It is, however, some newsreaders don't deal well with rich text, which is basically just HTML-enhanced plain text. When you post a message like that, those users have to wade through a ton of HTML "tags" to discern what you were trying to say. In addition, HTML messages open up all the potential security risks of web pages if you aren't running a tight ship. For this reason, Steve has recently banned HTML altogether. If you're a newbie trying to figure out why every post you try to make disappears into the bit bucket, never to be seen again, you might want to ensure you're not using HTML.

Q. Oh. Well how do I fix that?
A. In Outlook Express 5, click on the Tools menu, then click Accounts... Click on your news account and click Properties. Click on the Advanced tab. Down at the bottom where it says "Ignore news sending format and post using:" make sure that's checked and select Plain Text.

Q. But I'm using Netscape.
A. You will quickly learn that I know very little about the current incarnations of Netscape. The last version I used regularly was 3.0, as that was the last version that, in my opinion, was actually better than Internet Explorer at the time. However, in this case, and fortunately for you, Phil Youngblood has provided the answer (although for exactly which version, I am unsure):

To select plain-text posting in Netscape, click on Edit | Preferences | Mail & Newsgroups | Formatting, and move the little dot from "use the HTML editor" to "use the plain text editor."
Q. What about "attachments" or "binaries?" What's all the fuss about?
A. There didn't used to be a fuss, but then some utter morons started posting 250 kb files left and right. Some of them were lame, obscene, prank call .wav (wave sound) files, and other times people would post misbehaved executable programs which were downright counterproductive. One sorry excuse for a human being (and I use that term loosely) did actually post two viruses. In the past, posting a virus or Trojan was completely possible, and you know as soon as it happens, some newbie will run it (maybe you).

Q. Okay, so I guess that's kind of stupid, but what do I care? I've got a 200 ZillaBaud Ultra-DSL Broadband IEEE 1394 Cable connection! Sure that .wav file was lame, but it only took like half a second to download! As long as I'm not stupid enough to run an executable that someone posts, why would I care if they post huge files?
A. You probably don't. But I'll let you in on a little secret: remember those English guys that thought they were so technologically-advanced in 1776 that they could come all the way across the Atlantic and put the smack-down on some misbehavin' colonists in America?

Q. Yeah. So what?
A. Well apparently, they haven't figured out the secret of broadband access over there yet.

Q. Oh, well that sucks. But even at 28.8, it's not that big a deal, and you can just abort it if it's taking too long.
A. Well, it's not so simple. See in some other parts of the world, you can't even phone across the street without incurring a per minute charge. There's no such thing as a local phone call as we know it. In fact, there's even a connection fee for each call. So what these poor saps have to do is connect and download all the messages real quick-like and then disconnect again. If somebody posts a 250 kb file, it actually costs them money as well as time.

Q. Wow! God Bless America!
A. Indeed. Also, you know what they call a Quarter Pounder with Cheese in Paris?

Q. They don't call it a Quarter Pounder with Cheese?
A. No, they got the metric system there, they wouldn't know what the hell a Quarter Pounder is.

Q. What'd they call it?
A. Royale with Cheese.

Q. Royale with Cheese. What'd they call a Big Mac?
A. Big Mac's a Big Mac, but they call it Le Big Mac.

Q. What do they call a Whopper?
A. I dunno, I didn't go into a Burger King.

Q. Wow! In light of all that, file attachments sound like a really stupid idea. Can't Steve just ban them?
A. Sure he can. But remember, nothing helps a newbie out like a picture. I can type 100 words trying to tell you which little box to check in some configuration dialog, but chances are you'll still screw it up unless I can show you what it's supposed to look like. Worked pretty well on Steve's Network Bondage pages, didn't it?

Q. It sure did! My newbie ass would've been way lost without those pics! I can see now why it's helpful to allow small pictures. But how can I make them small enough so that those silly Brits don't flame me?
A. First off, you're probably running your desktop with 65,536 colors, right?

Q. No way, Dude! Just yesterday, I found a way to crank it up to 4,294,967,296 colors! It's hidden in this thing called "Display Prop..."
A. Yeah, okay, all right, whatever. That sure looks nice on your screen, but it takes 32 bits to define the color of each pixel. In contrast, to show 256 colors only requires 8 bits, and 16 colors uses just 4. What I'm saying here is that, everything else being equal, you can take your 32-bit screen capture and reduce the colors to at least 256, and maybe all the way down to 16.

Q. What's the deal with those funky numbers anyway?
A. Well, a computer's digital. Bits (short for "binary digits") are binary--they can either be on or off. Therefore, there are two possibilities for each bit. For example, 2-color (black and white) images are 1-bit. If you add another bit, you get 2 x 2 or 22 possible combinations, resulting in 4 colors. At 8-bit, you have 28 or 256 colors, and so on.

Q. I see, but won't reducing the number of colors make my image, like, way ugly?
A. Who cares? The point is to get your situation across, not show off how many colors your graphics board is capable of. By going from 16 Million down to 256 colors, you decrease the image size by a factor of four. If you make it down to 16 colors, your image is only one-eighth its original size. By doing this and cropping the image to show only what's necessary, you can usually get your point across in less than 30 kb, as compared to 100-200 kb if you don't do anything.

Q. Oh, I see. But I wouldn't know how to reduce the number of colors or crop an image. Can I do that in Windows Paint?
A. I've heard rumors that it's possible, but you really want to use an image editor. I recommend the following shareware:

Paint Shop Pro is second only to Adobe Photoshop in popularity, so there's plenty of info out there on how to use it. PSP even includes a powerful screen capture utility. Once you decrease your colors to 256 or 16 and crop your image, save it as a GIF and attach it. Check to make sure it's small (~30k) first, though.

Q. Can you tell me exactly how to do that in PSP?
A. I could, but this isn't the Paint Shop Pro FAQ, in case you forgot.

Q1. Man, I went to that JASC site and checked out Paint Shop Pro, and it's almost 15 MB! I'm one of those "poor saps" that has to pay by the minute--isn't there anything smaller?
Q2. Man, I downloaded Paint Shop Pro and it's kicking my butt! Isn't there anything easier?
A. Well it doesn't get much easier than this: Milly Peters points out that there are a couple of really cool utilities on the web that will automatically reduce the file size of images for you. You don't have to download anything (except the squeezed image), and best of all, they're free! All you need to do manually is crop your image and get it into GIF format. These sites severely reduce the "geek factor" required to make your images smaller:

Q. What else can I do to appease the Europeans?
A. Well, if you absolutely feel the need to post larger (>50k) files, and you have the capacity to put an image on a web server and link to it, that would be best. In fact, Steve has recently put a cap on the size of messages, so if your stuff's too big, you're going to have to find someplace else to keep it and post a link instead. And whatever you do, don't post stupid files that have absolutely nothing to do with the topic at hand. (Small funny images are okay in moderation. However, make sure the laugh factor is high, as the number of flames you receive will be inversely proportional to the humorousness of your post.)

Q. Speaking of the topic at hand, is there anything I should know about choosing a subject for my post?
A. I'm glad you asked. You always want to include a descriptive title for your postings. People decide which messages to read based on their subject. A subject of "Help!" for example, doesn't really tell anyone what you're asking, now does it? Perhaps a more appropriate title would be something like "How can I choose an effective message subject?" That way, not only would people who have already solved this problem key in on your post and help you, but future users looking for the same answer might have a snowball's chance in hell of actually locating it with a header search and not have to re-post the exact same question as was asked and answered just a few days prior.

q. wow, i had no idea that u knew so many rulez, dude!
A. Hey, you see those long, funny-looking, keys near the bottom corners of your keyboard? Those are the SHIFT keys. They allow you to make capital letters, which have been traditionally used in the English language to signify the beginning of sentences, proper nouns, and the pronoun "I." Just thought you might want the heads-up.

q. but i think this is really kewl.
A. Funny, but most of us agree it's actually fairly juvenile, poor form, and hard for others to read.

Q. Wow. Your really knowledgeable about this stuff.
A. Hey, let's get one thing straight, okay? When you attempt to replace the words "you are" as in, "You are really knowledgeable about this stuff," you've got to replace them with the contraction "you're." The word "your" implies possession, as in "belongs to you." When you use the wrong form, you only succeed in demonstrating your ignorance, and your point is often lost in your poor grammar.

Q. Sorry, but English is not my first language. I bet I write in English better than you write in my language.
A. You're absolutely correct, and this isn't meant to be a slam on your English if that's not your native tongue. However, I've noticed that most people for whom English is a second (or third) language have a much better grasp on this concept than a lot of Americans. ("A lot" is two words, by the way.) I would point to the abysmally low quality of education in this country as the root cause. It really is an embarrassment for me, and I wish you'd clean up your act so you don't make Americans look like we're so stupid that we can't even learn our own language correctly.

Q. I didn't realize there school's are so much better than ours.
A. Okay, you're hopeless. You are welcome to read, but please don't post until after you complete your G.E.D.

Q. But why does the English language have to be so difficult?
A. This is a common criticism from foreigners who learn English as a second language, since most other languages don't suffer from this kind of "homonym confusion." However, I can only postulate that when English was in its infancy, its progenitors must have been thinking of the internet. You see, when the personal attacks start flying, the need to incorporate the words "your" and "you're" is almost unavoidable. Fortunately, and because of the brilliant design of the English language, the misuse of their various forms provides an excellent indication, both to you and to everyone else, of the fact that the person who is attacking you is an uneducated moron.

Q. So then you know that you can simply disregard him?
A. Yeah. Either that or toy with his feeble mind, depending on your mood.

Q. I keep seeing people drawing little faces or using TLA's (Three-Letter Acronym's) like "LOL," "BTW," etc. Where can I go if I don't understand them?
A. Well, FWIW, you can check out the following resources:

Q. Those silly Brits keep using lingo I'm unfamiliar with. One of 'em told me that something I said was was "luvverly jubberly." Should I be offended?
A. They do speak funny over there, don't they? Try these:
Q. Is there anything else I should know about Netiquette?
A. Yeah, you might not want to make fun of as many different people as quickly as I have in this section. You should see all the flames in my inbox!

Q. Well I've read all this stuff about netiquette, and I think I'm ready to post. I don't really have anything to say, but I want to make sure that if I ever do have something to say, I know what I'm doing. I guess I'll just post a message with something like "This is a TEST - Please ignore" in the newsgroup.
A. Well, you could do that, however, for some inexplicable reason, people in this newsgroup really seem to thrive on creating pointless replies to pointless test postings. I can't explain it, and none of the psychologists I've consulted with understand this behavior either. So although you could make such a test posting in ShieldsUp, it would be better for us all if you did it somewhere more appropriate.

Q. Like where?
A. Actually, there's a Usenet newsgroup designed exclusively for this purpose. Cruise on over to alt.test and test away! (Note that you need to have your ISP's news server configured as your default news server for this link to work, since this newsgroup is not carried on If ShieldsUp! is your first newsgroup experience, you may have some additional configuration to do before you can access alt.test. However, the good news is that you'll also find yourself with access to up to 40,000 additional newsgroups!)

General Questions About Zone Alarm

Q. What's "Zone Alarm?"
A. Look, Steve's made this entire kick-ass ShieldsUp! website to help all of us. I didn't know a thing about internet security until I came here. Really, you should go read all of Steve's pages and then come back. Go ahead...the FAQ will be here when you return. OK, now that you're back, you know that Zone Alarm is a personal firewall program that many of us are using to help secure our machines.

Q. Why are you using Zone Alarm?
A. Because it's free and has some nice features. Sure, it has some bugs too, but overall, it's very nice. (Dollar-for-dollar, it's the best firewall available, too!)

Q. Is that my only option?
A. No, there are several other commercial products available as well. Some of us like those better than Zone Alarm and are willing to pay for them. Some of us prefer Zone Alarm. Steve's put together a pretty good list at You could also check out the list of useful software included elsewhere in this FAQ.

Q. OK, where can I get the latest version of Zone Alarm?
A. Zone Alarm is available through Zone Labs (go figure), and their site is located at

Q. I already had Zone Alarm version 2.0.22 installed, but I see everyone talking about 2.0.26. I keep hitting the "Check for update" button in Zone Alarm, but it keeps telling me that no update is available. What gives?
A. For some reason the Zone Labs guys took their time enabling the check for update availability of 2.0.26. I don't know what the status of the "Update" button is at any given moment, but the best option is usually to grab the file manually from the download link on the Zone Labs pages.

Q. Version 2.0.26? That's old news! What's the latest version of Zone Alarm?
A. It would be a real pain for me to have to update this FAQ every time Zone Labs releases a new version, but you can always find it on their download page at

Q. OK, I keep seeing people talking about a "beta" version of Zone Alarm. What's that all about?
A. A beta version is just a public preview release. The beta may have new features and/or bug fixes. However, it may also have new bugs!

Q. I can't find a link to it on Zone Alarm's web site. Where can I get it?
A. Understand that this is a beta release--it's not certified to be bug-free and you may have problems with it. However, most people seem to be having good results with the betas. If you want to try it, go to

Questions About Zone Alarm Installation

Q. Do I need to uninstall my older version of Zone Alarm before installing the latest?
A. Nope. However, some users recommend this practice, and it can't hurt. Zone Alarm will preserve your settings even if you uninstall it, BTW.

Q. Well is there anything I might want to consider?
A. Yup.

Q. What's that?
A. Well there's a file included with the distribution called "readme.txt." You got any idea what you're supposed to do with that file?

Q. Read it?
A. You betcha.

Q. OK, it's pretty long, what's important?
A. The first thing you want to make sure of is that you follow the instructions about disabling the Zone Alarm Desk Band and rebooting before installing the new version.

Q. What's a "Desk Band?"
A. You got a big ugly orange bar down by your clock?

Q. No.
A. Good, then you don't have it turned on.

Q. But what if I do?
A. Right-click in a blank space on the task bar, click Toolbars in the pop-up menu, and un-check "Zone Alarm Desk Band." This thing is so ugly you should really be ashamed that you had it enabled. You will also need to reboot before installing the new version of Zone Alarm.

Q. What else?
A. Also, make sure you reboot after your installation.

Q. Why all the rebooting?
A. Welcome to Windows. If it bugs you, check out

Q. Is Zone Alarm available for Linux?
A. Nope, but unlike Windows, you can actually secure Linux without third party applications.

[Note: I'm aware that this next line of questioning is slightly out of date, however it may still be an issue for some, so I'm leaving it in for another revision or two.]

Q. Anyway, so is there anything else I need to be aware of when upgrading from 2.0.22 to 2.0.26?
A. Yes. See the next question.

Q. Okay, wise guy. I installed Zone Alarm 2.0.26 over my 2.0.22 version and rebooted eight-hundred times and all that jazz. But when I run Zone Alarm now, in the "Configure" menu it says "ZoneAlarm version 2.0.22, TrueVector Service version 2.0.26."
A. For some reason the geniuses at Zone Labs decided that, starting with 2.0.26, Zone Alarm was going to install itself at C:\Program Files\Zone Labs\Zone Alarm\ by default.

Q. OK, so what's wrong with that, and what's it got to do with my question?
A. Well, prior to that, it put itself in C:\Program Files\Zone Alarm\. This means that if you simply accept the default installation directory, you will most likely have two copies of Zone Alarm installed, one version 2.0.22 and the other 2.0.26. I know what I'm talking about. This happened to me.

Q. Well the program's not very big, so what's the big deal?
A. The big deal is that if you launch Zone Alarm from one of your old shortcuts that still points to the directory where 2.0.22 is installed, it'll still run version 2.0.22.

Q. Well if that's the case, why does it say TrueVector 2.0.26?
A. TrueVector is Zone Alarm's underlying technology that allows it to do its job. It runs as a service at Windows startup. When you upgraded, TrueVector 2.0.26 was written over 2.0.22. So when you restarted, TrueVector 2.0.26 was active. However, when you ran the old version of Zone Alarm from your shortcut, it loaded version 2.0.22 of Zone Alarm, hence the version discrepancy.

Q. Isn't this bad?
A. Well it's definitely un-good. If you were experiencing problems with Zone Alarm 2.0.26, check to see that you didn't do this.

Q. So if I want to fix it, can't I just click on the "Check for upgrade" button?
A. Nope. But go ahead, try it. Go ahead, we'll wait. Betcha got a message like "No update available at this time (version was not recognized)" didn't ya?

Q. Alright stop toying with me! Tell me how to fix this!
A. First, you should delete the folder containing Zone Alarm 2.0.22. Once you've done that, if you click on a shortcut pointing to 2.0.22, it will be broken, and Windows will ask you to point it to the correct file. Just navigate it on over to wherever 2.0.26 was installed and voila, it's fixed.

Q. No it's not.
A. OK, I'm sorry for you. That's all that I know about this particular problem. I recommend you do a complete uninstall of Zone Alarm, reboot, and do a fresh new install.

Questions About Using Zone Alarm

Q. What does it mean to allow an application to act as a server?
A. Most applications do not need to be allowed server access. Server access means that that program is opening up a port and actively listening for other machines to initiate contact with it. This is how many Trojan Horse programs work, BTW.

Q. Well if I don't give a program server access, doesn't that mean that it won't be able to receive information from the net? How will my e-mail arrive? How will I see the web pages I ask for?
A. Re-read what I said before. Server access allows an application to listen for other machines to make unsolicited connections with your computer. If a program without server access requests a resource from the internet (a web page, your e-mail, etc.) Zone Alarm will allow the response to get through. Conversely, if some computer out on the net tries to contact your machine first, Zone Alarm will "play dead" and not answer. This is what Steve means by "Stealth."

Q. Whoa, that's complicated. Can you give me an analogy?
A. I'm glad you asked. Did you know that you can have a phone line installed that only receives calls and doesn't allow you to make any?

Q. No I didn't know that.
A. Well it's true, and many businesses use this. When I was in high school, I worked at a pizza joint that had an "incoming calls only" phone line for orders.

Q. Wow that's great. Can you teach me how to throw pizza dough?
A. I could, but that's beyond the scope of this FAQ. My point here, and I do have one, is for you to consider the opposite--that you have a phone line that can only make outgoing calls but can't receive unsolicited incoming calls. Kind of like an unlisted number, but without stupid friends that give your private number out to everyone. (I'm not bitter, no.)

Q. Okay... What's this got to do with...
A. I'm getting to it! That's what Zone Alarm normally does. It acts like this unlisted number. Just because you don't receive incoming calls doesn't mean you can't hear the people you call, right? They just can't call you first. Well the same is true for your web browser running under Zone Alarm--if you want to go to Yahoo! and surf, when your web browser asks for Yahoo!'s page it sort of tells Zone Alarm, "Hey, it's okay for Yahoo! to send the answer." But the next day, when Yahoo! takes your IP address that they got from you the day before and tries to send some info directly to your computer, Zone Alarm will say, in true Lee Corso fashion, "Not so fast, my friend," and turn it away. Actually, that's not entirely true either. Zone Alarm will actually just play dead and make Yahoo! think that your computer's off, you're disconnected from the net, or the IP address is bad.

Q. Who's Lee Corso?
A. You don't watch much College Football, do you?

Q. No, never.
A. OK, well it's not important that you know. (If you're curious, though, here's the scoop.)

Q. So how do I know which applications to grant server access to?
A. You should be careful what applications you allow server privileges to. Most do not require them. Some may even think they do, but they don't. Here's a rule of thumb: Never grant any application server access on the first request. See if it will function without it first.

Q. How do I know if it's working?
A. Is it doing everything you expect it to do?

Q. Well yeah.
A. Then don't screw with it.

Q. Okay, now I'm trying to run this program that I've denied server privileges to and it's not working right.
A. First, ask yourself why it needs to listen on a port. Is this a good program that you trust, or is it some application you received in an e-mail message that's supposed to be some dancing baby or something?

Q. No, I trust it. It's from a reputable software company. It makes sense that it would have to listen for incoming connections to do its job, and that's okay with me.
A. Alright then grant it server access.

Q. Look dummy, I'm a newbie--that's why I'm here. I'm not capable of evaluating whether an application should legitimately have to act as a server or not. Throw me a frickin' bone here. Tell me what sorts of applications might have to be servers!
A. Sorry, I've been a frickin' evil computer geek for twenty frickin' years, okay? I forget that some people don't have a feel for this stuff. First the big stuff--if you're running any kind of application that has the word "server" in its name, you might need server access. This includes FTP servers, web servers, mail servers, news servers, ad nauseam.

Q. OK, well what about Windows NT Server?
A. If you have to ask that, you should probably go back to Windows 98. Don't ask about Windows 2000 Server either.

Q. OK, what else?
A. Well some communications clients may require server access. The most common being AOL Instant Messenger and ICQ. I shall illustrate the way these work by describing ICQ, since I use it. When you get online, ICQ sends a little note to the main ICQ server saying something to the effect of, "Hey, Chris is online." Then when your friends get online, their ICQ clients contact the same network of ICQ servers and say, "Hey, I'm online--is there anybody I know out there?" The server, knowing you're online too, tells your friend that you're online. When your friend writes a message to you, it will either go directly to you if the ICQ server has given your friend's ICQ client your current IP address, or it will be sent to you via ICQ's servers. Either way, this message will arrive unannounced at your machine on a port at which ICQ is listening. If ICQ is not allowed to act as a server, Zone Alarm won't let it listen on this port, and ICQ will never hear your message. In this case, it's okay for ICQ to act as a server.

Q. OK, Smarty-pants, then why do I not have to give ICQ server privileges and it works just fine?
A. If you are trying to communicate with someone who is behind a firewall or also denying server access, ICQ can be problematic. Sebastian Schlueter posted the following excellent description of the phenomenon on the ShieldsUp! newsgroup:

It has something to do with direct client-to-client communication.

In default configuration, your ICQ client acts as a server when you receive a file for instance. If you don't allow it to act as a server, you can't receive files. (You can send files because your ICQ client acts as a client then.)

But you can configure it to behave differently: Go to the preferences dialog box and select the connection tab. Then choose "I am behind a firewall or proxy". Now your ICQ client always acts as a client, regardless of wether you're sending or receiving.

But this obviously can't work, when both users configured their client this way! In such a case, a message pops up telling you that the transfer can't be done since both clients are behind a firewall.

The bottom line is that if you follow these rules and don't give anything server access unless it doesn't work otherwise, you'll be fine.

Q. Every time I try to use an FTP client, it asks for server access. I'm not setting up an FTP server, I'm just trying to FTP to someone else's server. Why does this happen?
A. FTP is a protocol that is used for passing big hunks of data over the internet. If a server was to send this data back on the same connection it sends commands, you could just forget about sending more commands until it's finished. Thus, the normal behavior is that the FTP client sends the server commands, then the server starts another connection to return the data. This forces the client to become a "server" in order to receive this new connection. You can either accept this, and allow your FTP client to act as a server, or check out if your client supports "PASV mode." This is a command the client can send to the server, in effect telling the server, "Just wait a little, and I'll call you on another line for the downloading." Now both connections start from the client, and the firewall is happy.

Q. When I set up Netscape or Internet Explorer or [insert your browser here], it didn't ask for server access. I've been surfing the net for over a week now like this and everything was working just fine. Then I clicked on a link and all of a sudden Zone Alarm asks me if I want to give my browser server access. What's going on?
A. Did you just click on an FTP link?

Q. I don't know, how can I tell?
A. Did it start with "ftp://"?

Q. Why yes, how did you know?
A. If you need me to answer this for you, you're thicker than I thought.

Q. Okay, answer me this: I'm running an application that I've explicitly denied server access to. However, in Zone Alarm the app appears with a little hand under it, indicating that it's acting as a server anyway. When I hover my mouse over it, it says the name of the application and then "Listening to port(s): xxxxx." What's going on here?
A. You must be running Zone Alarm 2.0.26.

Q. Why yes, how did you know?
A. You also must have neglected to read the "readme.txt" file included with it, despite my persistent urgings.

Q. OK, you caught me, but how?
A. In the readme for 2.0.26, it states that a change has been made allowing localhost server connections always. Some people like this idea and some people don't, but the fact remains it's in there. Your application will only listen to your computer. If something out on the internet tries to connect on that port, it will be Stealthed. Don't worry about it. (As far as I know, version 2.0.26 is the only one affected by this--version 2.1+ reverts back to the previous behavior.)

Q. Well what kinds of applications listen to local ports anyway. That's silly.
A. Mostly proxy servers. I also have this situation with ICQ and with the fax drivers in MS Outlook 98.

Q. What's a proxy server?
A. Oh boy, here we go. I'll refer you to a classic award-winning post by a brilliant young man. Search the shieldsup headers for a post by Chris Baker in the thread "webwasher (was Re: AD BLOCKER)."

Q. Now suddenly Windows Explorer wants to access the internet. What purpose could that serve?
A. World domination, what else? No, seriously it is! The point is that Microsoft stuffed their browser into Windows as hard as they could, and this is the result. The line between Windows Explorer and Internet Explorer is blurry indeed. In fact, you can type an internet address into Windows Explorer or a local directory into Internet Explorer. Now try to tell the difference!

Q. But still, there must be some reason for it?
A. Well, the reason ZoneAlarm identifies it as Windows Explorer is that the browser has started up inside the Windows Explorer process. One reason that the browser may do this is that it's costly on resources to start another process, so if RAM is limited, it's smarter to start inside one already running. In IE 4 you could set this choice yourself, but IE 5 takes a look at the available resources and decides it for you. See Microsoft Knowledge Base article Q240928 for more info.

Q. What is "Distributed COM Services," and why does it want to access the internet?
A. See Microsoft Knowledge Base article Q158508 for instructions on how to disable this. (Thanks to r.e.s. for the link.)

Q. What about Microsoft NetMeeting?
A. I don't use it, so I don't know, but here's what Brian Sullivan had to say about it:

For NetMeeting to work properly, it must be able to act as a server. It listens on TCP port 1503 for incoming T.120 (data) calls and on TCP port 1720 for incoming H.323 (audio/video) calls.
Please note that since I don't actually use NetMeeting myself, I pretty much ignore all the NetMeeting threads over on the newsgroups. If you have more info about NetMeeting, don't hesitate to e-mail me with all the gory details. I know there must be some issues, since there are a lot of threads regarding NM.

Q. I installed Zone Alarm, and it's working great! It blocks all kinds of internet traffic that I don't want. I only have one problem--it often blocks my e-mail program from getting to the mail server too. Why does this happen, and what can I do about it?
A. Why? I don't have a freakin' clue. Remember that Zone Alarm is a product under development and still has some bugs. This is one of them. What I've found that helps is if you add your mail server to the local sites list under Advanced on the Security tab. You don't need to actually lower security for local sites--you can keep that at high too. But for some reason I've found that adding my mail server to the local zone reduces the number of false blocks from ZA.

Q. Does this work for other sites that get a lot of false blocks?
A. I have no idea. Try it and let me know.

Q. OK, I installed Zone Alarm and I'm surfin' along, fat, dumb and happy, and all of a sudden Zone Alarm pops up this box that says it stopped someone from accessing my computer. Am I under attack!?! Should I call the police? The FBI? My lawyer? My network admin? My mom? My ISP?
A. No. Chill out. This has been happening to your computer ever since you got on the net, you just haven't been made aware of it until you installed Zone Alarm. It's just "Internet Background Radiation."

Q. Oh my God! Radiation? Should I back away from my computer? Should I buy a Geiger-counter?
A. Whoa. I said chill out. "Internet Background Radiation," or IBR, was a term coined by Steve Gibson to describe all the broad, general port scanning that goes on constantly.

Q. What? Somebody's scanning my computer? They must be trying to attack me! I'm gonna call the cops!
A. Damn. Relax, okay? You really shouldn't have gotten off the Ritalin so early. It could have been some dude typing the wrong IP address into something by mistake. It might have been your ISP analyzing the performance of its network. Or it could've been some script kiddie scanning one port at every cable modem IP address looking for an easy machine to hack.

Q. What? Hack? "Script kiddie?" That's it, I'm gonna write my Congressman.
A. OK, slow down. A "script kiddie" is sort of like a wanna-be hacker. He doesn't have the in-depth knowledge to be a "real" hacker--he only uses tools (scripts) prepared by others to do his rudimentary hacking. Some of those scripts scan ports looking for unprotected machines or machines infected with Trojans that will allow him to further access your computer.

Q. But if it could be some hacker trying to break in, shouldn't I alert my ISP?
A. I said "script kiddie" not "hacker."

Q. Whatever
A. No, there's a difference. This guy is small-time. He's not trying to break into your machine in particular. He's trying to break into "a machine" somewhere. Most of these kiddies are looking for MP3 files, or pictures of naked chicks, or pirated copies of Quake III.

Q. OK, well all my pictures are in a hidden folder so my wife doesn't find them.
A. Good, that's practicing excellent security.

Q. But this "kiddie" was still trying to attack me!
A. Yeah, you and every other IP address for 1,000 IPs on either side of you. Relax. He didn't get in, your system is safe--thanks to Zone Alarm and ShieldsUp!

Q. But shouldn't I do something?
A. Hey, hello? Haven't you been listening to a word I said? It could've been an innocent little mistake or a normal scan from your ISP. Do you really have so much free time that you want to pursue every little port scan?

Q. Yeah, I'm a real loser.
A. OK. Well, I'm here to help. What do you want to know?

Q. Well it said the attack came from How do I find out who that is?
A. You can use a reverse DNS lookup to resolve the hostname. In this case, it resolves to "".

Q. How did you do that?
A. Are you sure you really want to pursue this?

Q. Yes, tell me how, dammit!
A. OK, go to and play around with the goodies there. You can also download tools from the internet to do the same thing from your machine. There are plenty of other sites like this. (Robert Wycoff recommends You can also accomplish the same thing from your machine by dropping to the console (DOS Prompt) and typing "nslookup".

Q. Okay, how can I find out more information about the little bastard?
A. Run a Whois query.

Q. A who-what?
A. Whois on first?

Q. I don't know.
A. Third base!

Q. Stop screwing with me, I'm trying to save the net from this evil denizen.
A. OK, you can run a Whois from Sam Spade too. It tells you who owns that network block.

Q. OK, it says it's owned by AOL!
A. Duh. You probably could've figured that out without Whois, huh?

Q. Yes I suppose I could've. Now what?
A. Now you bitch to AOL.

Q. How do I do that?
A. Jeez, do I have to hold you hand through this entire process? Draft a complaint to them telling them that you were evilly probed by a computer in their domain. Make sure you tell them the originating IP address and port, your IP address and the port(s) scanned, and the exact UTC time that the scan happened.

Q. What's UTC time?
A. It's Greenwich Mean Time, or GMT.

Q. Oh. What's GMT?
A. It's the time at the Royal Observatory in Greenwich, England. It's used as a standard time around the world. (That's right--they can't figure out how to make a local phone call, but we use them for a worldwide standard time reference. Go figure.)

Q. OK. How do I figure out what the UTC time was? This happened to me at 8:02 p.m. Pacific Standard Time.
A. I'm not going to go into time conversion here, but an easy way for you to find out would be to double-click on your clock and click the Time Zone tab. You see where it says "(GMT-08:00 Pacific Time (US & Canada)?"

Q. Yeah.
A. That means you're 8 hours behind GMT. Your local time is GMT minus 8 hours. That means that to convert your local time into GMT, you need to add 8 hours. Something else you should know--GMT doesn't change with daylight savings time. To convert Pacific Daylight Time to GMT, only add 7 hours.

Q. But if I add 8 hours to 8:02 p.m., that gives me 4:02 a.m. THE NEXT DAY!
A. Way to go, Einstein. You're going to have to increment the date in your report as well.

Q. Wow! How do you know so much about time zones?
A. I'm in the Navy, and I'm a pilot. We deal with this stuff a lot.

Q. OK, I've converted the time to GMT, but that still doesn't change the fact that my clock's 17 minutes off. I set it every other day, but it's a really sucky clock.
A. Most computer clocks are. If you insist on bothering ISP's with reports of scans, you need to give them exact times so they can have a chance of tracking down the offender and corroborating your story. I recommend downloading one the of the freeware or shareware time synchronization utilities from someplace like:

Q. Man, this sure is a lot of work. I had no idea it would be such a pain.
A. Now you see why most of us just ignore these warnings.

Q. OK, you've convinced me. I sent a couple of letters to my ISP and to AOL about these scans, but I haven't heard back from them. What are they doing?
A. They most likely made a note of the offending IP or user and trashed your message.

Q. You mean they're not going to lock the guy up?
A. No. In most locales, port scanning is not illegal. Many states have laws against hacking, and using a port scanner to find a weak spot and then breaking into another user's computer is illegal. Port scanning in and of itself is not.

Q. Well is it illegal anywhere?
A. The following information was provided by Brett Turcotte:

Most of the states I've found, including Texas, California, Florida, and Illinois among the biggies, and Arizona, Vermont and Rhode Island among the others, make it a criminal offense to merely communicate with a computer or network without permission, even if no damage is done.
Q. So the bottom line is...?
A. It's all kind of up in the air. One thing is certain, though--even in locales where this type of port scanning is illegal, the cost of tracking down and proving a case against a simple port scanner isn't justifiable. It would probably still take a successful hack before anyone would get ruffled enough to do something serious about it.

Q. Well this guy was obviously looking to do that. Why else would he be scanning all those IP addresses?
A. You're probably right. But he didn't--at least not to your machine.

Q. So what good did all this do?
A. Not a whole lot, but if the ISP receives many similar complaints about the same user, they may start to keep an eye on him. They'll monitor his activity. If they find him scanning lots of people's machines, then they'll pull the plug on him.

Q. So it's not necessarily wasted time to make these complaints?
A. You could make that case. I suppose it depends on what you consider wasted time. Remember that you came to ShieldsUp! because you were concerned about the security of your machine. You wanted to turn it into Ft. Knox to foil these script kiddies. Well, now imagine you're living in Ft. Knox. Are you really going to be concerned about people shooting paper straw wrappers at the walls?

Q. Well, no.
A. Then relax. Zone Alarm is doing its job and keeping these kiddies at bay.

Q. OK, I feel better now. I guess I'll stop posting the details of every alert message that pops up into the ShieldsUp! newsgroup and asking for people to help me track down the offender.
A. That would be a start.

Q. But why monitor these alerts if I'm not going to do anything about them?
A. Good question. I don't. They just pop up and annoy me. I've turned them off. Some people do, however, so they know when they've really been attacked. With the advent of Zone Alarm 2.1, logging is finally supported, and having the alert pop-up is even less necessary.

Q. How do I tell when I've really been attacked?
A. You've been targeted when you see hundreds of probes from the same IP address or subnet. That means someone is methodically checking all of your ports, looking for a weakness.

Q. Holy pajamas! That's happening right now!
A. OK, you're really being attacked this time, you can stop relaxing!

Q. Don't just sit there, tell me what to do!
A. Open up Zone Alarm. You see the big red button? Hit it.

Q. What does that do.
A. It's equivalent to unplugging your phone line or your cable or your DSL lines or your network cable, etc. You're "pulling the plug" on them.

Q. OK, now what?
A. Now might be a good time to use those "mad skillz" you developed chasing after the script kiddies to make a real complaint to both your ISP as well as the offending site's ISP. You can use the tools at Sam Spade to help you. You might also be able to put some pressure on the offender's end by determining who provides his connection to the internet backbone and writing to them as well. This time, you won't get flamed if you post on the newsgroup, so go ahead and solicit advice there.

Q. Do I really need to go through all those cumbersome steps? I wanna get this guy right now!
A. You might want to check out this kick-ass utility, created by one of our own:

In addition to providing a useful tool, his page is very educational.

Q. Wow, thanks for all the good info and for helping me to not contribute to the problem of posting details of every port scan to Steve's newsgroup.
A. Don't mention it.

Questions About Other Products

Q. What about other software for personal security?
A. Some of us have started to compile a small listing of suggested software. We chose these based on several criteria. First, they must be affordable, preferably freeware or inexpensive shareware, in order to facilitate their use by as many people as possible. (Don't be so cheap as to not pay for shareware you use regularly though--register it to encourage improvements and new innovations.) They must also serve a distinct and useful purpose and be both powerful and accessible to internet security newbies. As of right now, the list consists of:

Virus protection:

  • InoculateIT Personal Edition - from Computer Associates
    [Please note that several people have reported minor problems with InoculateIT PE on their systems. Although it works fine for me, be aware that there may be some issues with this program. If you begin to experience system slowdowns or shutdown problems after installing InoculateIT, try un-installing it to see if that solves your problem.]

Trojan protection:

Personal Firewalls:

Privacy and Encryption:

Cookie Management:

FTP Clients Without Adware:

Ad Filtering Proxies

Q. Are there any other resources on the web like ShieldsUp!?
A. Well there aren't any quite like ShieldsUp!, but here are some useful, friendly links:
Q. Well are there any sites that positively suck?
A. What do you think?

Q. Well I saw this site from Symantec, which I've always thought of as a well-respected security firm, that purports to test some of the same sorts of things as ShieldsUp!. You can check it out at (This is also available via a link on the ZD-TV website.) However, I went there with all my ports closed and Zone Alarm blazing, but it says my security is all full of holes. What gives?
A. This has got to be the absolute worst security test on the web. Let me start by quoting their requirements for the test:

System Requirements
In order to run the Security Analyzer and Virus Check, your PC must meet the following configuration requirements:
  • Microsoft Windows 95 or 98
  • Microsoft Internet Explorer 4.01 or newer.
  • Java Applets, ActiveX controls, active scripting, and cookies must be enabled in Internet Explorer’s security settings.
  • If you are going through a firewall, it must be configured to transmit browser information (user agent) to the web server
  • If you are using the AOL browser, please upgrade to AOL version 5.0 (Keyword: Upgrade)
First, let's look at the OS requirements. Why does this test not run on Windows NT or 2000? Is it because those operating systems are inherently safe and don't have any security issues? I don't think so. However, a quick look at the system requirements for Norton Internet Security 2000, a Symantec product, sheds some light on the subject. Seems that NIS 2000 only supports Windows 95 or 98. Very interesting...

We'll take the next two items together. The only reason this test requires IE 4.01 or higher is because it also requires "Java Applets, ActiveX controls, active scripting, and cookies" to be enabled and supported. Netscape is therefore out because it doesn't support ActiveX controls.

Q. But doesn't this read like a laundry list of potential security hazards?
A. That's right. Even your newbie ass figured that out. Seems that in order to undergo this comprehensive "Security Analyzer and Virus Check," you must first manually lower your defenses and open yourself up to what are, hands down, some of the biggest threats to internet security. Before you run this, you should ask yourself, "Am I going to do all this to accommodate a potential hacker?" It then becomes clear that this is not an objective test of your security setup, but rather a lame attempt to force you into a defenseless position, exposing all sorts of security holes that would normally be closed to hackers.

But let's move on. Seems that if you have gone to the trouble to configure a proxy or firewall to strip potentially-invasive browser (user agent) information, you must disable this as well. Just another example of how Symantec forces you to lower your defenses in order to comply with its alleged "analysis." Oh, and if you're using the AOL browser, please upgrade to the latest version, you know, the one with all the crashes? This is basically done for the same reasons as requiring IE 4.01 or higher--anything less will deprive Symantec of the security holes they rely on to complete this test. See my comments later in the FAQ regarding AOL for why I think AOL is a bad idea in general, and AOL 5.0 is a really bad idea in particular.

Q. Okay, well I'm really curious, so against my better judgement, I upgraded to AOL 5.0, changed my browser to Internet Explorer 5.01, and lowered all my defenses by enabling Java Applets, ActiveX controls, active scripting, and cookies in Internet Explorer’s security settings. I also disabled the stripping of the user information in my proxy. But this report doesn't make any sense. WTF?
A. Well I don't know what your report said, but here's a message I posted when this originally came up regarding what mine said:

[Note: For this FAQ, I have inserted convenient links to pages explaining key features of NIS 2000, so that it will be absolutely clear how well this alleged "analysis" actually corresponds to the main functions of NIS 2000, demonstrating how thinly-veiled this blatant advertisement for NIS 2000 actually is.]

I'd question the validity of a "security check" which requires you to lower your defenses in order to complete. I think this site is of marginal utility at best. I ran it on my machine, and here's what it came up with:

Personal Firewall Check
You are at moderate risk from malicious hackers. The scan did not detect a personal firewall on your PC. (You might be protected by a corporate firewall.) Firewalls monitor all communications made between your computer and the Internet. You can configure a firewall to block unwanted network connections and to filter information.

To fix this problem:
Install firewall software on your computer.

Not sure what that's all about. Got Zone Alarm on high. Didn't receive a single probe alert during the test. Only two just before the test. This section should probably be titled "Norton Internet Security 2000 Personal Firewall Check."
Web Content Filter Check
The scan was able to download adult content to your PC. It did not store anything on your hard disk, but it showed your computer is capable of downloading adult content.

Web browsers can block adult content only when Web sites contain rating information. However, to block unrated Web sites you must use additional software. This scan indicates that no content filtering programs block adult content on your computer other than your browser.

To fix this problem:
If you are concerned about being able to download adult content on your computer, install parental control software that allows content filtering.

This is a "problem?" At any rate, it's predictable, since I'm not running any such software. Sorry, but I don't consider porn to be a "security threat." If I thought I needed to police myself regarding this issue, I'd go out and buy Net Nanny or CYBERsitter, or maybe just join some sort of support group.
Antivirus Software Check
You are at moderate risk from computer viruses. Your PC has a leading antivirus program, but it is not the most current version. Since virus technology changes continually, current antivirus software is essential for your computer’s security.

To fix this problem:
Contact your antivirus software vendor for information about upgrading to the most current revision available. Or, install new virus protection from a leading antivirus company.

Typical, since this site is apparently sponsored by Symantec. I'm running Norton Anti-Virus version 4.04. This test doesn't seem to care that my virus defs are up to date--only that I haven't shelled out the cash for Norton's latest and greatest. Gee, let me go drop that $40 right now!

[Note: Since I posted this message, I have upgraded to Windows 2000, making my Norton Antivirus obsolete in the process. Due largely to the sleazy nature of this site, I decided to give InoculateIT Personal Edition a try instead of buying the newest Norton Antivirus, as I had originally planned. InoculateIT is working great for me, and I suggest you try it too, rather than give cash to Symantec, who have lost a lot of credibility because of this, IMHO.]

Browser Information Check
You are at low risk from losing privacy through browser information. A firewall or other service blocks personal information that your browser normally sends to Web servers, such as the address of the Web site you visited last.
This is to be expected, as I have the referrer turned off in WebWasher.

According to this, my security's full of holes. Funny, that's not what every other security site on the net is telling me. I wouldn't worry about the results of this test. It seems to be geared more toward selling copies of Norton's Internet Security suite than actually evaluating the security of your machine. Oh, how convenient--there's a nice set of links at the bottom I can follow to buy NIS 2000 right now!

(Notice that the tests correspond exactly to the main areas of NIS 2000, and that it tries to tell you that what you're using is inadequate, when obviously it isn't? I wouldn't be surprised if this thing is programmed to spit out this firewall result when using anything but Norton's firewall.)

As you can see, this is little more than an advertisement for Symantec's Norton Internet Security 2000. It is designed to scare both unsecured newbies and people whose machines really are secure into shelling out cash for NIS 2000. Fortunately, you can get 75% of the functionality of this product by running three free programs: I am so incensed at this disgusting marketing tactic (can you tell?) that I will never buy another Symantec/Norton program again. Their willingness to exploit the naEetEof the average internet security newbie and their use of blatant fearmongering tactics to convince people whose machines actually are secured that they have security issues is disgraceful. It calls into question Symantec's integrity, and I would not ever purchase software so vital to the security of my machine from people whom I could not trust. I suggest you consider this point very carefully if you're contemplating the purchase of NIS 2000.

[Note: I recently noticed that they are shamelessly plugging this "analysis" on ZD-TV as well!]

Questions About Open Ports

Q. Help! I've followed Steve's Network Bondage instructions to the letter and even installed a firewall. My port 80 is still open when I probe my ports! What the #@$% is going on?
A. Do you use ICQ?

Q. Yes. How did you know?
A. I'm just special like that. ICQ has it's own web server built in. I bet you didn't know that, did you?

Q. No. Why the #@$% would ICQ be running a web server off my machine?
A. I have no earthly idea. Perhaps they thought their program didn't have enough security issues already.

Q. Well how do I get rid of this thing and close port 80?
A. Open ICQ. Click Services | My ICQ Page. Click Activate Homepage to clear the check mark beside it. Voila!

Please note that if you do not have a check mark beside "Activate Homepage" and you click on it, you will be presented with a warning dialog about activating your homepage. Even if you click "Cancel" in this dialog, your homepage will be activated. This is a big ole bug in ICQ, and could turn into a real pain in the butt for you if you're not careful when you're poking around. Go back and double check this to make sure it stays off. (Thanks to Vynny Ward for pointing this out.)

Q. But "Activate Homepage" wasn't checked.
A. You've got other issues. Something else is running a web server off your machine. This would be a good time for me to ask if you're intentionally running a web server.

Q. No, I'm not.
A. OK, I had to ask. You understand--newbies.

Q. Yeah, I understand. What can I do?
A. Something to try: Open your web browser and browse to "" or "http://localhost/".

Q. What's that gonna do?
A. Those are synonyms for "this machine." Hopefully whatever's serving up web pages will serve one up to your browser and help you figure out what's going on.

Q. Nope, nothing but an error message.
A. Okay. Are you using the Linksys router that Steve and others speak so highly of?

Q. Why yes. Yes I am.
A. As you probably already know, the router is configured via a web interface from one of your local network computers. Apparently, models with older firmware revisions would also keep Port 80 open to the outside, as well as to machines on your LAN.

Q. Egads! What can I do about that?
A. Try upgrading your firmware. Go to That should fix you.

Q. Okay, I'm not using the Linksys box, and none of your other suggestions have closed my Port 80.
A. You might want to ask this one in the newsgroup. There's too many possibilities to cover in this FAQ.

Q. I don't have a Trojan, do I?
A. Probably not, but you never know...

Q. How about port 139? How can I close that?
A. Did you follow Steve's instructions to the letter?

Q. Yeah. Oh, except for that little part about...
A. I can't help you. Do exactly as Steve says and see if that works. Then we'll talk.

Q. OK, I did it and port 139 is still open.
A. Are you sure you did it exactly as he says?

Q. Yes.
A. OK, that's odd. You might want to ask the newsgroup. But don't let me catch you asking before you've followed Steve's instructions to the letter...

Q. OK, I've got all the ports closed and stealthed...except port xxx is still showing only closed. What gives?
A. Are you using some sort of router or are you behind a firewall, other than the personal firewalls we discussed? Are you using Internet Connection Sharing (ICS) or some sort of Network Address Translation (NAT) computer or device?

Q. Yeah.
A. OK, you've got some sort of special situation going on here. Go ahead and post it to the group, after you've scanned all the subject headers for your topic.

Q. ALL of them? There's like 20,000!
A. Yeah, but the nice thing about computers is that they can quickly search through large blocks of data for a particular string. That's why we use them, you know.

Q. But I couldn't follow Steve's instructions. I'm running Windows 2000, and he only tells how to do it under Windows 9x and NT. I tried to follow both of these procedures, but Windows 2000 is very different.
A. You're right. Maybe someday Steve will add the Windows 2000 procedure to his site. Until then, follow the instructions I've posted to the newsgroup:

Securing Windows 2000 is actually easier than securing Windows 98 and far easier than securing NT (as no "dummy" loopback adapter is required). However, it is a different procedure than for either 98 or NT.

First right-click "My Network Places" (love that new name) on your desktop and choose "Properties." Select your connection from the dialog by right-clicking it and choose "Properties" again. Select "Internet Protocol (TCP/IP)" and click--you guessed it--"Properties." In the "Internet Protocol (TCP/IP) Properties" dialog that pops up, click on the "Advanced..." button.

Now in the "Advanced TCP/IP Settings" dialog, click the "WINS" tab at the top. Near the bottom there's a radio chooser to select whether you want NetBIOS over TCP/IP or not. Make sure "Disable NetBIOS over TCP/IP" is selected. Hit OK to back out of everything and you're done!

As far as I can tell, it doesn't matter whether you have "File and Printer Sharing for Microsoft Networks" or "Client for Microsoft Networks" installed or not. If TCP/IP is configured to "Enable NetBIOS over TCP/IP," you'll be vulnerable. For the record, I recommend keeping "Client for Microsoft Networks" installed, since I believe removing it has some not so obvious but important consequences for your networking setup. I have it installed and everything is still closed up, as long as you disable NetBIOS over TCP/IP.

Note that the above procedure is for a LAN/Cable/DSL connection may not work with a dial-up. Bob G. provided me with the following information, which he received from a Microsoft tech support engineer:
As for your question about NetBIOS, I want you to look at your dial-up connection properties and tell me which network components you have checked. To do this, right-click on My Network Places and go to Properties. Then right-click on your dial-up connection and go to Properties. Go to the Networking tab and you should see a list of components down at the bottom. The only component that needs to be checked is Internet Protocol (TCP/IP). If you have anything else checked here then you should uncheck it.

The key is to only have TCP/IP selected and not Client for Microsoft Networks.

Q. How can I tell which ports on my machine are active at any given time?
A. Drop to the Console (DOS Prompt) and type "netstat -a". If you need help interpreting the results, read some in the newsgroup. Also, you will probably see a lot of stuff here. Don't "panic-post." It's okay--relax.

Q. I'm showing Port X is open or "listening." How can I find out what this is used for? Is there a list of what Trojans listen on which ports?
A. Please refer to the following two links provided by Tom Moeller:

Q. I followed the instructions on Steve's Network Bondage pages, but now my dial-up connection won't remember the password.
A. This sort of behavior is often due to a bug in the way Microsoft implements dial-up connections. It has been confirmed by everyone, except Microsoft, who apparently refuses to characterize this anomaly as a "bug." Symptoms are usually that either the "Save Password" box doesn't stay checked or is grayed-out and unusable. The following links are to a pair of Microsoft Knowledge Base articles and a very nice write-up at, for Windows 95 and 98, respectively:
However, for people who are experiencing this problem after performing Steve's Network Bondage procedure, the number one reason is because you removed Client for Microsoft Networks. Although your internet connection will work fine without it (I do not have it installed on my Windows 98 box), if you are unfortunate enough to be using a dial-up connection, you will not be able to save your password unless you have a client of some sort installed.

Your options here are twofold. First, you can go back and follow Steve's instructions to the letter, re-installing Client for Microsoft Networks (CfMSN) and binding it to NetBEUI, which you then ensure is not bound to TCP/IP, in order to both preserve CfMSN and close Port 139. Your other option is to install the more-benign Microsoft Family Logon (MSFL) instead.

Q. I use Windows 95 and Internet Explorer 5.0. I can't seem to find "Microsoft Family Logon."
A. I have heard that Windows 95 doesn't ship with MSFL like Windows 98 does. I have also heard that if you upgrade to Internet Explorer 4.0, that MSFL is then installed and you can use it. Finally, I've heard that if you upgrade from IE 4.0 to IE 5.0, Microsoft Family Logon is un-installed and disappears as an option.

Q. Wow. That's messed-up.
A. Sure is. Looks like you'll be picking Door #1.

Q. I tried to follow Steve's directions exactly, but I'm confused. I use AOL and they put some funky stuff in my Network Properties dialog.
A. Yes they sure do. Check out the following two articles by Fred Langa regarding AOL:

Q. Wow, AOL is sure doing some weird crap to my computer. No wonder it crashes all the time. And I thought Bill Gates was the Anti-Christ.
A. No, Steve Case is the Anti-Christ. Bill Gates is but a lesser demon.

Q. Do you have any evidence to back up these preposterous claims?
A. Steve Gibson points out that entering the phrase "More evil than the devil himself" into a search on Google returns some rather interesting results.

Q. What can I do about this?
A. Dump AOL.

Q. Okay, I quit AOL, but they keep sending me all these CD-ROM's with their software on it.
A. Welcome to the "Coaster of the Month Club."

A. Wow, you sure seem to hate AOL. Does everyone view them with such contempt?
Q. Not necessarily. Here is some feedback I received from MrAlaska regarding my comments about AOL:

I notice you spend a little time on your crusade against AOL. To be fair, I used AOL when I first dabbled my toes in cyberspace, and AOL was invaluable to me. Without them, I would not have learned (or had to learn) how to re-format my hard drive with every update. Aside from these valuable lessons, I have learned a Zen-like patience dealing with customer support idiots, and hours of being on "hold" have taught me more than I knew existed about anger management. Busy signals and getting booted at crucial times even taught me to cry, which will no doubt come in handy if I ever hook up with a chick that likes "sensitive" guys. If you wish to keep your AOL slander in the FAQ, you might mention that AOL users might be much happier if they minimize the AOL program and surf with a real browser.
Q. I went out and bought that Linksys router that Steve recommended so highly. I have a question regarding its configuration.
A. Have you read all the documentation and searched their website for the answer and talked to their tech support?

Q. No.
A. Do that first.

Q. Okay I still can't find the answer. Those guys at Linksys don't have a clue what I'm talking about.
A. Search the headers for the string "Linksys." We've talked about this box quite a lot. If you can't find your answer, then post.

Q. Okay, I just have one specific question. Steve says this box is so great but when I install it, all of my ports go from Stealth to Closed. What gives?
A. Since you can't run Zone Alarm on the Linksys box, the best it can do is report the ports closed. ShieldsUp! is scanning the Linksys box, not your computer.

Q. Can I do anything about this?
A1. Gee Wong made quite a nice post on this issue. I am including it here, unedited, despite his alarming lack of sarcasm:

By default, it should work fine for everybody. However, here are some neat things that can be done with the BEFSR41 to enhance security.
  1. By assigning an IP address of (an IP address not assigned to any machine on the LAN port) as a DMZ host, all ports except 80 become stealthed.
  2. By doing 1 and by forwarding port 80 to, all ports become stealthed.
  3. By doing 1 and 2, and by assigning a machine with a static IP of equipped with port monitoring software, I can produce an audit trail of attacks on my system at, while the rest of the LAN is protected.
A2. Download and install the latest firmware from Linksys. According to a post by KicKstop:
Even though I use a traditional static IP connection, I decided to download the latest firmware for the Linksys DSL/Cable router. On top of adding PPPoe support for those who need it, Linksys was nice enough to include an option under "advanced/filters" called BLOCK WAN REQUEST. Here's what their help file says about it:
This feature is designed to prevent users from attacking through the internet. While enabled, the router will drop both the unaccepted TCP request and ICMP packets from WAN site. The hacker will not find the router by pinging the WAN IP address.
Now owners of the router don't have to do that DMZ and port forwarding to get stealth ports AND pings do not respond!

When I registered my router, I wrote in the comments section that I would have liked to see this feature. Apparently Linksys actually reads comments of their customers.

Q. Do I still need to use Zone Alarm if I use the Linksys Etherfast Cable/DSL Router?
A. You should still use ZoneAlarm for the outbound blocking it provides. (Pithy response courtesy of Chad Heltzel, who probably didn't realize his brevity was so sarcastic.)

Questions About Internet Privacy

Q. Hey! I installed Zone Alarm, but my browser is still accepting cookies? What kind of crappy software is this?
A. Zone Alarm is not a cookie blocker. Your browser has this capability if you'll just configure it. Read on for all the gory details.

Q. OK, my computer is locked down like Ft. Knox, I can surf the net all fat, dumb, and happy again, right?
A. Well that depends on your level of comfort.

Q. Uh, oh. What do you mean?
A. Consider this. You're walking though the mall, when you notice some scrawny little short guy dressed in all black following you around with a notepad. He's writing down every ad that you look at and whether you appear to like it or not. He's noting every store you visit, the kinds of clothes you try on, and what you buy. After a little while, you notice him pull out a walkie-talkie and start talking to someone on it. Later on, you see these guys changing the ads as you approach, in an attempt to show you ads related to the things you've been trying on. Freaked by all this, you go home. Later that night, the phone rings and someone is trying to sell you stuff similar to what you were looking at in the stores. "How did you get my number?" you demand. "I got it from the little black troll--DoubleClick's his name. He followed you around to see what you like and he got your number from your credit card company--you know, the card you used at Victoria's Secret, where you bought that red underwear?"

Q. Whoa, that's freaky. I'd call the cops if that ever happened to me.
A. It's happening right now!

Q. How'd you know what color my undies are? You pervert!
A. No, not that. You see, you're being followed all over the web by that little DoubleClick guy and others like him. They're keeping track of everything you do--every site you visit, every ad you see (especially the ones you click on), and everything you buy. And as soon as you buy something--boom! They've linked your name, address, and telephone number with their big bad profile of everything you like. Shouldn't be long before that creepy guy starts calling you.

Q. Egads! How do I stop them?
A. One way is to destroy their ability to track you across the net. They do this with cookies.

Q. Hah! I don't eat cookies while surfing the net, so they can't be following the crumbs!
A. No, not that kind of cookies. These are little files that they put on your computer, and these files rat out your identity every time you visit a site that checks for them.

Q. The little bastards! Why would I want cookies at all?
A. Some cookies are good. You can customize your pages to suit your needs at some sites. When you return, the cookie identifies you and your customized page is served up. Some sites use a more benign form of preference tracking too. Like tracks the things you look at and buy, and uses that to make recommendations of things you might like.

Q. That's kinda cool, I think.
A. Yeah, until your wife logs on and sees that Amazon is suggesting she buy the new Playboy home video. Busted!

Q. How did you know about that?
A. It's happened to everybody.

Q. Well how can I kill off the bad cookies but retain the useful ones?
A. This is what I've done. I'll explain how to do it in Internet Explorer 5.01, since that's the browser I use. First you have to identify the bad guys.

Q. How do I do that?
A. Go into IE and select Tools | Internet Options... Under Temporary Internet Files, click Settings... In the box that pops up, look at Current location, and write this down. Click Cancel. Click Delete Files... Click OK. Click OK again. Now open up Windows Explorer and navigate yourself on over to that directory with all them Temporary Internet Files in it.

Q. How do I do that?
A. Look this isn't a Windows tutorial. Some stuff you'll have to learn on your own. After you get there, you should pretty much have just cookies in it because you deleted everything else, remember?

Q. How can I tell what's a cookie?
A. It'll have the little text document icon next to it and will start with the word "Cookie." Easy enough? Now you're going to go through these one by one and do one of three things with each one.

Q. What's that?
A. If it's a site you trust, that you use often, and that you want to be able to identify you and personalize content for you, leave the cookie alone. Write down the name of the domain, though, on a piece of paper labeled "Trusted Sites." (The domain is just a general area owned by the site. For example, if you have a cookie from "," just write down "*"--the "*" is a wildcard character and means literally anything ending in

Q. What's the next category?
A. The next category is what I call nuisance cookies. You don't really recognize the site, or use it often, but somehow it's put a cookie on your machine anyway. If you can't link it to advertising or web statistics or something evil, it's just a nuisance cookie. Just delete these. Right-click on the cookie and choose Delete. Confirm that you want to delete the cookie. You don't need to write anything down.

Q. OK, and the third category must be the bad stuff, right?
A. Correctamundo. Anything you can link to an ad company or something that tracks your movements across the web goes in this category. Write the domain name down on another piece of paper labeled "Restricted Sites" and delete these cookies like there's no tomorrow. These are the little guys that have been following you around the web. You've just cut them off.

Q. That's great, but won't they come right back, like some kind of electronic plague?
A. That's where the next step comes in. Open up Internet Explorer and go back to Tools | Internet Options... Click on the Security tab at the top. Click on the little "Do Not Enter" sign that says Restricted Sites. We're going to restrict these anti-social sites because they can't behave. Now click on the Sites... button. Start adding all those domains you copied down on your Restricted Sites list.

Q. OK, all done, what now?
A. Click OK to close the restricted sites. Click on Trusted Sites and do the same procedure to add all your Trusted Sites in there.

Q. Where is all this leading?
A. Well, we're classifying sites. What we're gonna do is set it so that IE won't accept any more cookies from the restricted sites. To do that, click on Restricted Sites again. Verify that the security level is set to high. If it's not, click Default Level. Now it should be. Then, go to Trusted Sites and verify that the security level there is set to medium. If not, click on Default Level again. Now move the slider from low to medium. That will allow your Trusted Sites to place cookies on your machine without asking you first.

Q. What about all the other sites out there that aren't either Trusted or Restricted?
A. Well, that's next. We want to set those sites to be able to set temporary cookies without asking you but force them to ask before putting permanent cookies on your hard drive. We do that by setting the security level to medium in the same way that we set the level for Trusted Sites. Click on the little globe Internet icon. Now, click on Custom Level... Scroll down to the Cookies section and change "Allow cookies that are stored on your computer" from Enable to Prompt. Click OK twice to close all the dialogs. Now all other random internet sites will have to ask before placing cookies on your machine, and you'll have the choice of accepting them or declining them.

Q. OK, I found a lot of bad cookies on my machine. How does my list compare to yours?
A. Here's my most up-to-date list of bad guys:

* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *

Q. Wow! That's a LOT of sites. Do I have to type them all in?
A. Hey! I had to painstakingly scour two years worth of cookies to extract those domains for you. I had to go to their sleazy websites to confirm that they really were ad tracking slimeballs. Then, I had to type each one of them in manually. Not to mention re-typing them here for your reference! However, you could cut-and-paste them, rather than trying to type them all.

Q. Isn't there an easier way?
A. Actually, because I like you, I'll try to help you out. All of the information regarding your internet zones is stored in the registry. Therefore, in an attempt to save you time, I have exported the applicable entries to a file which you may now import.

WARNING! - Downloading and merging the following file will make changes to your registry. If this makes you uncomfortable, you may want to reconsider using this method, and type them in manually. Because of the plethora of different OS/browser combinations, neither I nor GRC will be held responsible for any damage that merging this into your registry causes, or any damage you cause yourself by trying to un-do what it does. This procedure should be considered to be in beta status, and should be regarded accordingly.

This registry file was created by me. I am running Windows 2000 and Internet Explorer 5.01. I have personally tested this registry file on my machine. It's no surprise that it works, since that's where it came from. According to Microsoft Knowledge Base Article Q182569, Internet Explorer 4 and 5 share an identical registry structure for security zone settings. Therefore, I fully expect that this works on machines running Internet Explorer 4.0 or higher. I have now received positive reports from users running all flavors of Windows 9x, NT 4.0, and 2000. If you are running IE 4.0+ and this does not work on your machine, please e-mail me.

The same Knowledge Base article seems to indicate that IE 3 uses a different registry branch to define its security settings. This means that there is little chance that this technique will do anything useful for those of you running Internet Explorer 3 or earlier (gasp). (You really should update your browser, BTW!)

Of course this is useless for Netscape or for operating systems other than Windows (duh) so don't e-mail me to tell me that.

Finally, let me reiterate: you do this at you own risk. I can see no reason why adding these registry keys would cause you any harm, even if it doesn't work for your combination of Windows and Internet Explorer, but we won't take any heat if it does.

With that out of the way, you may now download the Registry Settings file. Make sure to choose "Save this file to disk" in the dialog that pops up. (Note: You may have to right-click this link and choose "Save Target As..." depending on your settings.)

Q. What exactly does nasties.reg do?
A. This Registry Settings file will simply add all of the above sites to your Restricted Sites zone in Internet Explorer. It will not change your security settings in any way. Although I could configure those via the nasties.reg file, I have instead left that for you to accomplish manually, for security reasons. This file is simply a time-saver so that you don't have to type in all of the above sites.

Q. OK, I got it. Now what do I do with it?
A. If you have to ask me that, you might not be ready to utilize this method. However, I know that if I don't tell you, it will just generate a flood of "How do I merge nasties.reg into my registry?" posts, thereby requiring me to include the answer in this FAQ. (You can see the catch 22 coming a mile away, can't you?) First, if you have any sense at all, you're not going to just blindly trust some .reg file you download from somewhere, not even from GRC. So right-click on the file and select Edit. This will allow you to examine it in Notepad. I know you don't understand any of it, so just close Notepad now--at least if your drive gets erased you can tell people you looked at it first. Now right-click on it again and choose Merge. A confirmation may pop up. If it does, confirm that you really want to do this.

Q. Do I need to reboot now?
A. Amazingly, no. (I know you've been cultured to expect a reboot, so I'll wait right here if you want to do it anyway.)

Q. OK, now how do I know that it worked?
A. Well open up the Internet Properties Security tab and check the Sites... under Restricted Sites. If you now have all these domains listed, congratulations, it worked. If not, I'm sorry, but I can't support this, so you're going to be stuck typing them in.

Q. Do you have any other sites in your Restricted Sites list?
A. Yeah, I have some non-ad and to name two.

Q. Hey! Those are respectable mainstream domains! Surely they're not evil ad agencies!
A. No, unlike most of these companies their main business is not ad tracking. However, I've found both of them to be just a little too invasive for my personal preference, without providing any kind of beneficial customization. So in my restricted sites list they go. This is my list. If you don't want to restrict them, don't.

Q. How did you decide to put them in there?
A. I have my Internet Zone configured to prompt for cookies. If I get more than two prompts for cookies from a site I don't want to give a cookie to, that pisses me off. Some sites load as many as 30. Whoever wrote those web pages should be drawn and quartered.

Q. Is AOL on your Restricted Sites list?
A. You bet.

Q. Hey! My company, is listed in your list! I'm gonna sue!
A. Go ahead.

Q. But we're not an evil ad company! We target consumers with the ads they want to see!
A. Fine. I'd like all mine to be blank. Can you do that?

Q. Well no.
A. But those are the ads I want to see.

Q. But...
A. Shut up. You've pissed me off. I'm on to your Orwellian tactics. I won't have it. You're on my list. And soon, you'll be on lots of lists, thanks to this FAQ. Be afraid. Be very afraid.

Q. But if everyone puts me on their list, we won't be able to target our ads and people will have to start subscribing to see good internet sites which are currently ad-supported.
A. If you hadn't pissed off so many people by invading their privacy, you wouldn't be on our lists. If all you did was show ads and you didn't share our private information with others or track our web surfing, we wouldn't be so mad.

Q. But we'll change!
A. OK, sure, whatever. You're still on my list.

Q. What do I have to do to get off your list?
A. You're not getting off my list. You put a stinkin' cookie on my machine and used it to clandestinely track my surfing habits. I'm finished with you. Screw off.

Q. Wow, you sure are pissed at those guys aren't you?
A. Do you have any idea how long it takes to wade through two years worth of cookies and pluck out the cancerous ones? And then write a FAQ about it? You're damn right I'm pissed.

Q. OK, well what if we've missed a site?
A. Look through your cookies about once a month. It shouldn't be such a big deal now, because we've cut off the big offenders and forced everyone else to ask us. If you happen to find a cookie that you don't like, delete it and add the domain to your restricted sites list. That simple. Oh yeah, and then tell me so I can add it to mine and update the FAQ. BTW, Microsoft offers something that will make this task easier. Download their Power Tweaks Web Accessories, and you'll find options to quickly add sites to either Restricted or Trusted Sites right in your Tools menu. Kudos to MS for this one:

Q. Do they make any other neat add-ons for Internet Explorer?
A. Yep. Check out:

Q. Do I have to set up my security zones just like you did?
A. Nope. They're your zones. Set 'em up how you want.

Q. This is all very cool, but I use Netscape.
A. Don't be embarrassed--I used to use Netscape too, but then Microsoft fixed Internet Explorer so that it didn't suck anymore. At least you're not using a Macintosh.

Q. What I mean is how do I do this in Netscape?
A. It is my understanding that there is no concept of security zones in Netscape as there is in Internet Explorer, which is one reason (out of many) that I prefer IE. However, to block all cookies using Netscape or Opera, try this suggestion submitted by Chris Heaven:

Considering many websites deny access if their cookies are not accepted, and that rejecting all cookies is not an acceptable choice for most people, I have a method which allows me to accept no cookies, but indicates to websites that I have. If you rename the cookies.txt file in Netscape to anything but it's original name, this will allow you to create a new directory (folder) in the same location which can be named cookies.txt. In Opera, you would rename the cookies.dat file and then create the new directory with the original name. You can then set the new folder properties to be designated as read-only.

When a site sends you a cookie, your computer will temporarily accept it, deceiving the website into believing the cookie is serving its purpose. In reality, when your computer discovers it can't write the text of a cookie directly to the folder, the cookie just "floats" off into cyberspace. This practice allows me to access sites without them placing any cookies on my system, and also relieves me of having to manage cookies whatsoever. The inconvenience of having to remember and type my user name and password at the few sites I have to is far outweighed by disposing of the cookie issue. [Speak for yourself on this one, Chris!]

Please note, I have heard of people cleaning out all of their cookies, then going directly to websites that required them to sign in, accepting the cookies, and then designating the cookies.txt file as read-only, basically eliminating future cookies much the same as the method I previously described, but still providing the convenience of easy sign-in at selected sites. I have tried this several times, but after I reboot, the file properties revert back to their original state and normal cookie acceptance is enabled once again.

Stan Broski has provided a couple of batch files to automate this process. I suggest you only implement this if you honestly believe you can pull it off without screwing it up, but here it is:
Inspired by pchelp, I even wrote and tested two micro batch files that allow users to easily change the attributes of the cookies.txt file while in the browser window.

These batch files should be stored in the Windows folder. I suppose one file with a switch could be written, but it was easier for me to write two files. They can be executed in mid browser session by using the run menu as follows:

  • Open the run dialog box (Start | Run or hit Windows-R on a 104-key keyboard)
  • Enter the name of the batch file (the extension ".bat" is not needed)
This file called cookoff.bat makes the cookie.txt file read only:
     REM This batch file adds the read only attribute to the
     REM cookies file. Cookies will not be saved.
     @echo off
     attrib +r "c:\Program Files\Netscape\S-jb\cookies.txt"
     echo Cookies will not be saved
     echo Close DOS Window
This file called cookon.bat makes the cookie.txt file writeable:
     REM This batch file removes the read only attribute from the
     REM cookies file. Cookies will be saved.
     @echo off
     attrib -r "c:\Program Files\Netscape\S-jb\cookies.txt"
     echo Cookies will be saved
     echo Close DOS Window
These scripts indicate my particular path entry for the cookies.txt file. Users, of course, will have to substitute their own path and should remember to use quotes if their pathname includes non DOS-friendly pathnames like spaces between words. The final entry in each file is merely a prompt to the user to click on the upper right corner "X" to close the window.
Bob Anderson contacted me separately with much the same method as Chris, and added the following:
When you browse the Net, it is not only those sites you visit that drop cookies on your machine. All those ad banners you see and anyone else the site has sold out to can do the same. This is why Netscape has the option "Accept only cookies that get sent back to the originating server." This option limits cookies to those set by the site you're visiting (the "originating server"), and rejects cookies from the other servers which are supplying the ad banners. You want to enable this option. Go to Edit | Preferences | Advanced, and select "Accept only cookies that get sent back to the originating server."
This is one of the few features of Netscape that I, as an Internet Explorer user, envy. Are you paying attention, Microsoft?

Q. Wow! That's some good info. Do you know anything else about Netscape?
A. I didn't even know that, but Bob also mentions that some more cool Netscape mojo for advanced users is available at:

Q. What about the Macintosh?
A. If there's anything I know less about than Netscape, it's Macs. Can't stand 'em. At least I've actually used Netscape personally. I can't even figure out how to eject a floppy disk from a Macintosh!

Q. You have to drag it into the trash can.
A. Oh, now that's intuitive. You know, where I come from, that would make more sense as a procedure for erasing a disk! Anyway, here's some Mac info from Ross for you poor saps who got suckered in by the translucent fruity beasts:

I have noticed from time to time that a Mac user will ask for information from the group. On the off chance that one would be smart enough to read a FAQ :) and as I have tried to educate some Mac friends about security, I have compiled a couple of links to related sites. An entry level discussion is available at:
For something more technical and Cable/DSL specific, see:
I usually add the following to the end of my rant after they have told me how secure their OS is and, "besides, hackers only attack Windoze machines":
This link is to a Mac hacker site. It shows what type of intrusion tools are readily available. Have a look if you are feeling brave :-)
To my knowledge there are no free solutions. A security suite is NetBarrier:
A firewall-only solution is DoorStop:
Q. Okay, well I use an older version of Internet Explorer and I can't find the Internet Options.
A. It's in the View menu.

Q. Hey thanks, but everything's different than you describe.
A. You really should update your browser. It's free, you know.

Q. I can't--I use AOL.
A. I'm sorry. I've already talked about AOL. Either you've taken my advice or you haven't.

Q. What about ICQ? I've heard it's pretty un-safe.
A. Yeah. That's probably why AOL recently acquired them--fit their corporate image like a glove. Here's the answer I posted to that question recently:

Well there used to be a great "list from the dark side" at It had links to a bunch of programs useful for hacking into ICQ. Unfortunately, it appears to have been yanked, which prompts the question, "Which one of you ratted them out?" However, that many of the vulnerabilities exploited by those tools have been remedied in ICQ v. 0.99b.

For info on ICQ vulnerabilities, as well as some funky music, see:

Q. Wow, that's some intense stuff. Should I dump ICQ too?
A. That's your decision. I find it so useful that I still use it, but I've followed the advice I've read on the net in order to reduce the chances of bad things happening to me. The best and easiest thing to do is to always download and use the newest version. They usually fix the holes that hackers have exploited in previous versions. The hackers then proceed to find new holes.

Q. I read this whole stinkin' Privacy section, and you didn't even mention Aureate/Radiate!
A. When I originally wrote this FAQ, the story hadn't broken yet. Besides, everything I know about Aureate can be found on Steve's Aureate page at

Q. Okay, well here's something that's not on Steve's page. I downloaded OptOut a while ago and I love it. However, now it appears to be expired. I click on the "Update" button and it takes me someplace strange. Do I need to set the clock back on my computer to use OptOut?
A. No. Just download the latest version. It's available from

Q. Because I don't really believe that any application less than 175k in size can effectively do anything useful for me, I downloaded this program called AntiSpy that some guy was touting on some newsgroup. I ran OptOut, followed by this program, and it found all kinds of spyware files that OptOut missed. Does OptOut suck?
A. No, but AntiSpy does. It was hastily written by a hacker calling himself "CoKeBoTtLe" based on an equally hastily released "analysis" of the Aureate technology. According to its ReadMe!SPY.txt file, which provides very little explanation of the program and is mostly just a reprint of the above-mentioned "analysis," AntiSpy apparently searches for and removes the following files:

adimage.dll advert.dll advpack.dll
amcis.dll amcis2.dll amcompat.tlb
amstream.dll anadsc.ocx anadscb.ocx
htmdeng.exe ipcclient.dll msipcsv.exe
Problem is, several of these files are not Aureate files. The files advpack.dll, amcompat.tlb, and amstream.dll are legitimate Microsoft files. Deleting these files could cause unforeseen problems in Windows. If you ran AntiSpy, you would be smart to restore these files from your Windows CD, either through an upgrade re-install of Windows or by obtaining them directly from the cabinet files, if you know how.

Furthermore, as far as I know, AntiSpy does not cleanse the registry of Aureate entires like OptOut does. In addition, the following Aureate files are detected and removed by OptOut, but not by AntiSpy: advert203.ocx and advertx.ocx. Finally, OptOut will remove the directories in which Aureate ads are cached, amc and amcdl under your Windows directory.

What's New and Version History

What's New in Version 1.14 (16 April 2000):

  • Added futile attempt to prevent people from deleting legitimate Microsoft files in their quest to rid themselves of spyware
  • Fixed some inaccurate wording regarding the setting of Trusted Sites security--thanks to Vynny Ward for pointing it out
  • Added instructions for the possibility that a user might have to right-click and "Save Target As..." for nasties.reg--thanks to Ken Shrum for the suggestion
  • Changed references from "" to "" since the "" domain seems to be broken as of late--thanks to reguillo for gently prodding me into this
  • Updated Zone Alarm General Info section to be more version-independent and reflect the latest releases
  • Added a tidbit addressing the issue of homonym abuse (if you are currently thinking to yourself, "Hmmm...I wonder what a 'homonym' is?" then this section probably applies to you)
  • Added a link to the ShieldsUp! FAQ
  • Added references to British lingo
  • Added link to alt.test newsgroup
  • Made some minor (but time-consuming) formatting improvements
  • Added info for closing Port 139 in Windows 2000 with a dial-up connection
  • Removed link to ICQ hacker site, as it's apparently been shut down :(
  • Included "title" text with more of the links

Version 1.13 (09 April 2000):

  • Added two more acronym links
  • Damn typos--crushed a bunch
  • Added a warning about activating your ICQ homepage inadvertently
  • Renamed most of my images and the ad-sites.reg file due to what can only be characterized as a grossly-overbroad default filter in Norton Internet Security 2000 (and @guard as well) wanting to transform any file that begins with the string "ad-" into a transparent GIF--this is the crux of the problems that several users have been having with downloading the ad-sites.reg or files--thanks to Sebastian Schlueter for bringing this remarkably stoopid behavior to my attention (I toyed with renaming it to NIS-Sucks.reg, BTW)

Version 1.12 (08 April 2000):

  • Added ad-filtering software to the list of useful programs
  • Got so sick of answering "How do I close port 139 in Windows 2000?" that I added it to the FAQ (this is really easy to figure out on your own, BTW, which is why it wasn't in the earlier release)
  • Added a note to clarify that I have yet to receive a paycheck from Gibson Research Corporation, and therefore, as far as I know, I do not work for them, nor do I answer technical support questions regarding anything but this FAQ on a one-on-one basis (and even then you might be pushing your luck)
  • Fixed a couple of typos that I caught all by myself, thank you
  • ad-sites.reg is now distributed in ZIP format, due to the fact that several people have been experiencing problems getting it to save correctly on their machines--seems it wanted to think it was a GIF
  • Added additional ad domains, thanks to several readers who wrote in
  • Changed compatibility wording for ad-sites.reg--I now firmly believe this works on IE 4.0+ running on all flavors of Windows
  • Added info on using Microsoft NetMeeting with Zone Alarm
  • Added lots of good info about cookies in Netscape and Opera
  • Added warning about possible problems with InoculateIT PE
  • Added section regarding the dial-up save password problem after performing Network Bondage
  • Added a downloadable ZIP'ed version for offline viewing
  • Added section to debunk the horrible "security test" from ZD-TV/Symantec
  • Added a couple of resources for determining what applications are associated with which ports
  • Added info about common newsgroup abbreviations

Version 1.11 (04 April 2000):

  • Put the smack-down on some broken links resulting from the move to
  • Beat back some more of those pesky typos
  • Added anchors for sub-sections and digested the Table of Contents to that level of detail
  • Added links back to the Table of Contents from each section
  • Small design changes
  • Toned down angry rant against advertisers so I don't get sued (but I'm still mad)

Version 1.10 (04 April 2000):

  • First public release version
  • What's New and What's To-Do have been moved to the end (but you've probably noticed that...)
  • I discovered some problems with the "xxx.*" format domain entries--basically they don't work - Microsoft's bug--so I had to change that list and the .reg file

Version 1.07 (04 April 2000):

  • Final pre-release version
  • Added big news regarding the invention of the "Advertisers Zone" to the To-Do List
  • Fixed the wording of the description of Zone Alarm's "Desk Band" to match Zone Labs' FAQ and actual questions
  • Added instructions for disabling HTML posting in Netscape

Version 1.06 (03 April 2000):

  • Updated .reg file compatibility list (upgraded status from alpha to beta release)
  • Improved typeface for readability and enhanced style
  • Minor revision to What's New section layout
  • Added links to some great online image shrinkers
  • Added a link to pchelp's informative web site

Version 1.05 (03 April 2000):

  • Fixed some more typos--all questions should now be terminated with question marks
  • Added Q&A about using ZoneAlarm with the Linksys device
  • Added Description of FTP PASV Transfer Mode
  • Added link to latest version of OptOut for the "expirationally-challenged"
  • Created a .reg file to automatically import the Restricted Sites (this should be considered to be alpha stage right now)
  • Revised the Netiquette section to reflect recent (and soon-to-be) changes in posting policies
  • Added instructions for disabling Zone Alarm Desk Band
  • Added link to MSIE Power Tweaks Web Accessories
  • Added info on "Distributed COM Services"
  • Added more good ju-ju about stealthing the Linksys box

Version 1.04 (01 April 2000):

  • This revision is "no joke"
  • Moved discussion of Linksys firmware nearer to the Port 80 thread where it belongs
  • Added info about Windows Explorer requesting internet access
  • Added list of links to other useful sites
  • Added angry rants about capitalization and subjects

Version 1.03 (31 March 2000):

  • Removed remaining preformatted blocks and replaced them with easier to read blockquotes
  • Added links to Bill Gates' and Steve Case's web sites, in case you've been in a coma for the past decade

Version 1.02 (31 March 2000):

  • Fixed some more of those pesky typos
  • Added Cookie Viewer to list of software
  • Contemplated the suggestion to make links open in a new window, but didn't actually decide to implement it yet, pending feedback
  • Added info regarding Linksys firmware update to close Port 80
  • Added description of why ICQ sometimes requires server access--thanks to Sebastian Schlueter for answering one of my questions

Version 1.01 (31 March 2000):

  • Sat around for a long time and did nothing, but then...
  • Fixed all the typos everyone pointed out
  • Removed everything but ad companies and the real nasties from the Restricted Sites list
  • Added two Q's explaining why I sometimes add mainstream domains to Restricted Sites
  • One word: hyperlinks!
  • Removed the pronoun discussion entirely
  • Added a Table of Contents, with hyperlinks to the major categories
  • Added Introduction, To-Do List, and--would 'ya look at that--What's New's new
  • Added message attachment rant to Netiquette section
  • Added info about Zone Alarm 2.1 beta
  • Incorporated a compiled list of useful software
  • Incorporated some legal points
  • The really cool Google search made the cut
  • Incremented the number of newsgroup messages to more accurately account for the 10,000 that have been posted since I wrote v. 1.00

Version 1.00 (29 February 2000):

  • If you are wondering about this, you may not meet the minimum requirements for this FAQ

What's Still on the "To-Do" List?

  • Break the FAQ up into smaller, more manageable pieces
  • Include resolved IP numbers with ad domains to foil attempts to circumvent my technique
  • Create the "Advertisers zone" in Internet Explorer:
I have recently embarked on a quest to further simplify the complete denial of information to internet advertisers and those who would track your surfing habits from site to site. After Milly Peters brought this amazingly-versatile idea to my attention, I have been working feverishly to implement the "Advertisers zone" for Internet Explorer! The following is an actual (un-retouched) screen shot of my Internet Options Security dialog after the addition of the Advertisers zone:

The Advertisers zone is completely separate and independent from your normal security zones!  And it's like a life sentence without parole for invasive advertisers!

The Advertisers zone will consist entirely of the various domains which constitute threats to personal privacy on the internet, as I have detailed in the Internet Privacy section of this FAQ.

Who do you want to castrate today?E></div>
		The advantage over the procedure currently described in that section of the FAQ is this: if you already have some sort of security scheme set up for your machine, this method will not alter it in any way.  Because it adds these evil domains to the newly-created Advertisers zone and <em>not</em> to the Restricted Sites zone, you can continue to use the Restricted Sites zone however you wish!  Additionally, by default, the security settings for this zone are <em>through the roof</em>!  If it can be restricted, rest assured that it will be for these advertising and habit tracking engines.  And all of this is accomplished without adjusting your current Internet Explorer security settings one iota!
			<div align=Don't EVER take cookies from a stranger--even if they claim you can 'Opt-Out'!  Note the Advertisers zone clearly identified at the lower right.  (Click to enlarge image.)
Once I have finished testing this new technique, I will re-write the Internet Privacy section and link to a Registry Settings (.reg) file which will accomplish all of this automatically for you. The only system requirements will be Internet Explorer 5.01 running on some flavor of Windows, and that you have Minesweeper installed (if you want the cool icon--if not, you get the generic icon, but the settings will still work). That's it!

I'm very excited about this, and I know you'll be too. I'll be sure to let you know just as soon as everything is all tested out and ready to go!

Please direct any suggestions, tips, tricks, or fan mail,
regarding this FAQ to its author and maintainer,
Chris Baker at:

To continue, please press your browser's BACK button.

You are invited to browse these pages for additional information:

1  Shields UP! Home 
5  Network Bondage 
9  Public Forum 
2  Explain this to Me! 
6  Evil Port Monitors 
10  Be Notified 
3  Am I in Danger? 
7  Personal Firewalls 
11  FAQ 
4  What Can I Do? 
8  Further Reading 
12  Site Evolution 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (3,851.91 days ago)Viewed 47 times per day