Changes in Internet Explorer for Windows Server 2003

May 7, 2003

Please note: Portions of this transcript have been edited for clarity

Hosts:

  • Rob Franco, Internet Explorer
  • Brian Countryman, Program Manager in Internet Explorer

 

Moderator: Ken (Microsoft)

Welcome to today's TechNet Chat. Our topic is Changes in Internet Explorer for Windows Server 2003. Questions, comments, and suggestions are welcome.

I'll now have the host introduce himself now.

Host: Rob (Microsoft)

Hi, I'm Rob from the Internet Explorer team.

Host: Rob (Microsoft)

Q: Hi Rob, we're developing a MMC snap-in that displays HTML content. are there any limitations for such things on Windows Server 2003?

A: Yes there are...An important change of the IE Enhanced Security Configuration is that any HTML content hosted using Internet Explorer runs with lower privileges for example the MMC uses Internet Explorer to render HTML and therefore your HTML may run with lower privileges ... by default Lower privileges means that by default script and activex among other things will be blocked. However, as an application developer you can add the URL of the content you need to work to the ESC Trusted sites list either through the API, the preferred way, or directly to the registry, in both scenarios though its VERY important to make sure you write to the ESC Trusted sites, not vanilla Trusted Sites

Host: Rob (Microsoft)

Q: So does those "lower privileges" apply to all applications that use the WebBrowser control, such as HTML Help, too?

A: Yes, by default, all applications that use the WebBrowser control have the same behavior as IE. The best workaround is to add the sites as described in the documentation

Here is the URL for documentation on building an app or a website to work well with the IE Enhanced Security Configuration: https://msdn.microsoft.com/workshop/security/szone/overview/esc_changes.asp

Host: Rob (Microsoft)

Q: Are there any other limitations for apps that use WebBrowser control besides "lower privileges" (i.e. COM interface limitations)?

A: No, the behavior changes due to ESC are all in the UI in two locations: 1) Security Zone settings 2) Settings in "Internet Options" "Advanced"

Host: Rob (Microsoft)

Q: when will IE get transparent PNG support?

A: Ian, I'm sorry, I can't answer that question for you

Host: Rob (Microsoft)

Q: Our app uses Explorer toolbands (Explorer bars). Will they work exactly as in Windows XP, for example (no limitations)?

A: Yes, however Browser Helper Objects are off by default which is a change from the default behavior on Windows XP

Host: Rob (Microsoft)

Q: Rob, can you post the links for all the IE hardening info available on the Microsoft site?

A: Here is a link the covers the changes to the user experience for the Enhanced Security Configuration. This is a handy reference for Users, Developers and Admins alike to gain baseline understanding of IE ESC, add it to your favorites if you haven't rea

https://technet2.microsoft.com/windowsserver/en/library/e3d396dd-c141-432b-9e69-50f597061e471033.mspx?mfr=true

We also have a whitepaper for Corporate Admins to be able to centrally manage IE ESC: =<https://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en >>

Clearly its important for Admin's to preconfigure the ESC for desired sites to be allowed to run script, activeX and execute files on UNC paths (another key change)

Host: Rob (Microsoft)

Q: Ah, that's important (we're using BHOs a lot). Is an app allowed to turn on BHOs again? Is it possible to turn on BHO support for just one single app?

A: BHO's are very powerful and always running, as such they are expose attack surface. If you need to use a BHO, you might configure it to only run from a certain desktop shortcut for your app. There is no native ability to toggle them on for certain site. However, you could certainly add defense in depth to only run your BHO for known sites, but under those circumstances you could also use an ActiveX control and the existing ESC Trusted sites zone

Host: Brian (Microsoft)

Q: Are there any limitations in WinInet in Windows Server 2003?

A: There have been several security improvements to Wininet in Server 2003, but Wininet is at a lower level in the netowrk stack than the Zones architecture of Internet Explorer. Wininet is essentially unchanged, except for the improved security. Apps should see no difference, except as regards a few specific bug fixes.

Host: Rob (Microsoft)

Q: What is a BHO?

A: A Browser Helper Object is a powerful extensibility mechanism that allows you to add features to the browser itself

Host: Rob (Microsoft)

Q: Rob, so there is no way to use a BHO within Internet Explorer (not apps that use the WebBrowser control)? We're using a BHO in Internet Explorer in conjunction with an Explorer toolband.

A: By default BHOs are disabled, users can reenable them if needed

Host: Rob (Microsoft)

Important note: To execute exes, vbs files etc over UNC paths, you must add the machine hosting the file to your Local Intranet sites list

Another Important note: You should be careful to add local intranet vs. trusted sites when needed. Some people put Intranet URLs in the Trusted sites list and then get prompted for their intranet's creds on each navigate

Host: Brian (Microsoft)

Q: when / will there be the next version of IE?

A: As part of the OS, IE will continue to evolve, but there will be no future standalone installations. IE6 SP1 is the final standalone installation.

Host: Rob (Microsoft)

Q: What's the long-term outlook for IE as a development platform? Are there major limitations planned for future releases (such as in Longhorn) due to security reasons? I know that this is a concern to many developers that rely on IE technology.

A: Security continues to be a top priority. The platform will change for longhorn but you can expect the client, where folks need to browse, to not be as restrictive as the server. I encourage folks to get involved in our beta program to help us evolve the platform

Host: Brian (Microsoft)

Q: Why is this? the anti-trust? (no further standalone)

A: Although this is off topic, I will answer briefly: Legacy OSes have reached their zenith with the addition of IE 6 SP1. Further improvements to IE will require enhancements to the underlying OS.

Host: Rob (Microsoft)

Thanks everyone, great questions, hope to see you at teched!

Host: Brian (Microsoft)

Thanks, all!

Moderator: Ken (Microsoft)

Thanks for joining us today and thanks for the questions.

For further information on this topic please visit the following:

Newsgroups: microsoft.public.windows.inetexplorer.ie5.gen.discussion

IE Transcripts: Read the archive

Website: Visit the home page for Internet Explorer