I posted a few weeks back about the Internet Explorer Security Zones.
This came to discussion because MDAC 2.8, in order to take advantage of certain features of the ADODB.Stream object, requires the site to be in Trusted Sites. It will not work in the My Computer or Local Intranet zones. Details can be found here. This flies in the face of how we have traditionally interpreted the zones.
In fact, there are many indications in Microsoft documentation and products that the Local Intranet zone was indeed considered more trusted than the Trusted Sites zone at some point in the past.
By default, the .NET Framework trusts Local Intranet more than Trusted Sites. The Trusted Sites zone uses the Internet permission set. The Local Intranet zone uses the LocalIntranet permission set, which adds things such as Reflection, Environment Variables, DNS, and Event Log. This implies that the .NET Framework team views the zones as Local Intranet > Trusted.
There is plenty of language on MSDN and Microsoft.com that implies the same approach to these zones.
For example (emphasis my own):
Local Intranet Zone: After the Local intranet zone is confirmed to be secure, consider changing the zone's security level to Low so that users can perform a wider range of operations. You can also adjust individual security settings by using the Custom level of security for this zone. If parts of your intranet are less secure or otherwise not trustworthy, you can exclude the sites from this zone by assigning them to the Restricted sites zone.
Trusted Sites Zone: By default, the Trusted sites zone is assigned the Low security level. This zone is intended for highly trusted sites, such as the sites of trusted business partners.
(http://www.microsoft.com/windows/ie/using/howto/security/setup.asp, emphasis my own)
Even the order of the registry keys are in order how we have traditionally viewed the zones... 
Microsoft hasn't been able to give us a rational reason for the change or, more importantly, assure us that this is actually going to be the approach by all teams. In fact, it was even admitted today that 'the various teams have interpreted the zones differently'.
Am I the only one who sees that as a problem?
There are a number of issues at play here.
The most important to me is that group membership is mutually exclusive. That is, you can't be a member of both the Local Intranet and the Trusted Sites zones. Actually, they insisted today that you can - although I'll believe it when I see it. You certainly can't add a site explicitly to more than one zone, as you can see below, and it doesn't seem to be falling down to the next zone if something fails in the explicit zone setting.
(Then again, if someone can prove me wrong on this point, please do so - it would be very helpful and mitigate many of my concerns...)
Here's where MDAC 2.8 throws a wrench in the works. It forces us to move all of our Local Intranet sites into the Trusted Sites zone, thus effectively eliminating the Local Intranet zone. But as I said, there doesn't seem to be a coherent strategy here. No one can tell us why the MDAC team has interpreted the zones this way or whether future teams will interpret it the same way. If that's the case, what's to prevent another team from coming around and explicitly requiring our site to be in a different bucket?
And, should we have to mix Internet and Intranet sites in the Trusted Sites zone, Windows Authentication becomes a potentially serious risk. (We obviously don't want our Kerberos/NTLM credentials being sent to internet sites). Internet Explorer offers 4 settings for how authentication is handled:
The 'Automatic Login only in Intranet Zone' seems to be the logical choice - I would interpret this to mean that, within the Trusted Sites zone, all Intranet sites automatically login, but our credentials are not sent to any Internet servers. Of course, it doesn't work that way. When logging in to an Intranet site (even using the RDN), credentials are not sent because - surprise, surprise - it's in the Trusted Sites Zone, not the Intranet Zone.
UPDATE: The automatic login works in the Windows 2003 version of Internet Explorer, but not in XP.
Perhaps one of my enlightened readers can offer me some insight, because I certainly can't make sense of why it was done this way.