Computer-based systems and methods are disclosed for a comprehensive security model for managing active content downloaded from a computer network. The security model includes the configuration of a system security policy that is stored on a host computer. The system security policy is configured by security zone in progressively "finer grain" levels with each level associated with and defining the previous level. These levels may include: protected operations; user permission sets, permissions, parameters and primitives associated with parameters. A requested permission set is provided by the publisher of active content that lists the permissions that the active content requires in order to run on the host system. The requested permission set is automatically compared to one or more user permission sets to determine the permissions, if any that will be granted on the host system. The automated set comparisons includes determining a directional permissions sets comparison result, which is "directional" in that it maintains the distinction between the "superior" user-defined set and the "inferior" requested set. Determining the directional permissions sets comparison result may include determining directional primitive comparison results and merging them into a directional parameter comparison result; and determining directional parameter comparison results and merging them into a directional permission comparison result; and, determining directional permission comparison results and merging them into a directional permissions sets comparison result. The disclosed method may be practiced in the comparison of any two sets where a directional result is desirable.