Testing Applications for Compatibility with the Enhanced Security Configuration

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When a user or an administrator opens Internet Explorer for the first time on Windows Server 2003, a default home page that contains information about the Internet Explorer Enhanced Security Configuration is displayed in the browser window. If the user is not a member of the Administrators group, the home page describes the Enhanced Security Configuration and explains how the user can access a Web site that is not trusted. If the user is a member of the Administrators group, the home page describes the Enhanced Security Configuration in detail and explains how the administrator can modify it. Because OEMs can set a different default home page as part of their system configuration, a warning explaining that the Enhanced Security Configuration is enabled is also displayed in a separate dialog box. Users can permanently dismiss this dialog box.

When users start Internet Explorer directly — for example, by clicking a shortcut to Internet Explorer or by clicking Internet Explorer on the Start menu — these messages provide clear guidance for what to do if a Web site does not display properly or if a network resource cannot be reached. However, if an application starts Internet Explorer, the user might not receive these warnings and, consequently, will not understand why the application is failing or how to resolve the problem.

There are four primary types of problems to look for when you test server applications under the Internet Explorer Enhanced Security Configuration settings.

Sites and UNC paths are not listed in the trusted Web content zone   Look for cases where an application starts Internet Explorer so that the user can view a Web site, download files, or run a Web-based application. If the application cannot access these Web sites, applications, or resources, see if you can resolve the problem by adding the Web site or UNC path to the Trusted sites zone or to the Local intranet zone (if appropriate).

Use of client-side redirection   Look for cases where an application’s online content relies on client-side redirection (for example, an application tries to open a Web page, but then gets routed automatically to a different URL). Client-side redirection is disabled under the Enhanced Security Configuration. For client-side redirection to work properly, the target Web site needs to be added to either the Trusted sites zone or to the Local intranet zone (if appropriate).

Dependency on ActiveX components   Look for cases where an application accesses a Web site that relies on Active X components to display properly, such as a Web site that requires Macromedia Flash or Adobe Acrobat. You need to download and install these types of Web-based applications and ActiveX components on a per-computer basis, as you would do with any other application software.

Use of Internet Explorer features   Although they are not obvious, look for cases where an application relies on Internet Explorer features and components — for example, Install on Demand or multimedia features.

While most applications that rely on Internet Explorer features will work properly, in some cases an application, or some extensible component within an application, might attempt to access an Internet Web site that relies on a script or an ActiveX component. In these cases, if the Web site is not listed in the Trusted sites zone, the script or ActiveX component will not run properly, and the user will be prompted to add the Web site to the Trusted sites zone. You can eliminate the need for user intervention by identifying the scripts and ActiveX components that an application relies on and by deploying those scripts and ActiveX components to your user base, just as you would any application.