Computer-based systems and methods are disclosed for a comprehensive
security model for managing active content downloaded from a computer
network. The security model includes the configuration of a system
security policy that is stored on a host computer. The system security
policy is configured by security zone in progressively "finer grain"
levels with each level associated with and defining the previous level.
These levels may include: protected operations; user permission sets,
permissions, parameters and primitives associated with parameters. A
requested permission set is provided by the publisher of active content
that lists the permissions that the active content requires in order to
run on the host system. The requested permission set is automatically
compared to one or more user permission sets to determine the permissions,
if any that will be granted on the host system. The automated set
comparisons includes determining a directional permissions sets comparison
result, which is "directional" in that it maintains the distinction
between the "superior" user-defined set and the "inferior" requested set.
Determining the directional permissions sets comparison result may include
determining directional primitive comparison results and merging them into
a directional parameter comparison result; and determining directional
parameter comparison results and merging them into a directional
permission comparison result; and, determining directional permission
comparison results and merging them into a directional permissions sets
comparison result. The disclosed method may be practiced in the comparison
of any two sets where a directional result is desirable.