Internet Explorer Pop-up Blocker

Applies To: Windows Server 2003 with SP1

Note

The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Information Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.

What does Pop-up Blocker do?

Pop-up Blocker blocks most unwanted pop-up windows from appearing. Pop-up windows that are opened when the end user clicks a link will not be blocked.

End users and IT administrators can let specific domains open programmatic pop-up windows. Developers will be able to use or extend the pop-up functionality in Internet Explorer for applications hosting Internet Explorer.

Who does this feature apply to?

For most end users, browsing the Web will be less annoying, because unwanted pop-up windows will not automatically appear.

For Web developers, Pop-up Blocker affects the behavior of windows opened by Web sites, for example, by using the window.open() and showHelp() methods

For application developers, there is a new user interface called INewWindowManager.

Applications that use the rendering engine in Internet Explorer to display HTML can choose to use or extend the Pop-up Blocker functionality.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

The Pop-up Blocker is a new feature for Internet Explorer which can be broken down into three sections:

  • User experience changes, defaults, and advanced options.

  • Changes in behavior of current application programming interfaces (APIs), such as window.open and showHelp.

  • The new INewWindowManager interface, which allows applications to use the pop-up technology in Internet Explorer.

Pop-up Blocker features

Detailed description

Defaults

Pop-up Blocker is turned on by default. There are restrictions on the size and position of pop-up windows, regardless of the Pop-up Blocker setting. Pop-up windows cannot be opened larger than or outside the viewable desktop area. For more information, see "Windows Restrictions" in this document.

When this functionality is enabled, automatic and background pop-up windows are blocked, but windows that are opened by a user click will still open in the usual manner. Note that sites in the Trusted Sites and Local Intranet zones do not have their pop-up windows blocked by default, as they are considered safe. This setting can be configured in the Security tab in Internet Options.

Enabling Pop-up Blocker

Pop-up Blocker is enabled by default. You can change this in the Tools menu, with the Pop-up Blocker item, or in the Information Bar when a pop-up is blocked.

When a pop-up window is blocked

If a site opens a pop-up window that is blocked by Internet Explorer, a notification appears in the Information Bar and status bar and a sound is played. If you click the notification in the Information Bar or status bar, you see a menu with the following options:

  • Temporarily Allow Pop-ups. Reloads the page, allowing pop-up windows.

  • Always Allow Pop-ups from This Site. Adds the current site to the Allow list.

  • Settings. Shows more Pop-up Blocker settings menu items and gives access to the Pop-up Blocker Settings window.

Note

You can allow pop-up windows to open by pressing CTRL while the pop-up is opening

Advanced options

Internet Explorer provides advanced configuration options through Pop-up Blocker Settings. To access these settings, open Internet Options, click Privacy and then in the Pop-up Blocker area click Settings to open Pop-up Blocker Settings. You can configure the following options:

  • Address of Web site to allow. Enter a URL and click Add to add sites to the Allowed sites list. Any site on the list can open pop-up windows.

  • Filter Level. There are three different filter levels that you can use with Pop-up Blocker:

    • High: Block All Pop-ups. The default behavior of Pop-up Blocker allows sites to open a pop-up window when the user clicks a link. This setting changes that behavior by blocking windows that are opened from a link. If this setting is enabled, you can allow pop-up windows to open by pressing the CTRL key at the same time that you click the link to launch the pop-up.

    • Medium: Block most automatic pop-ups. This is the default Pop-up Blocker setting. This setting blocks most pop-ups that launch automatically when a Web site is loaded into your browser, but doesn't block pop-ups that are opened when you click a link.

    • Low: Allow pop-ups from secure sites. This setting allows secure Web sites (those that use the https:// protocol) to automatically launch pop-up windows without requiring that you add them to the Allowed sites list.

  • Configure Sound. You can toggle whether or not Pop-up Blocker plays a sound when a pop-up is blocked through Pop-up Blocker Settings. To do this, open Internet Options, click Privacy and then in the Pop-up Blocker area click Settings to open Pop-up Blocker Settings. In the Notification and Filter Level area, select or clear the check box next to Play a sound when a pop-up is blocked as appropriate.

    You can also change the sound that plays. To do this, click Start, click Control Panel, and then double-click the Sounds and Audio Devices icon to open its properties sheet. Then click the Sounds tab, click the Blocked Pop-up Window program event and choose the sound to play in the Sounds drop-down list.

Note

The Pop-up Blocker is used by default in the Internet and the Restricted Sites security zones. You can expand the scope of the Pop-up Blocker to include the Local Intranet or Trusted Sites security zone by clicking the zone and then either moving the slider in the Security level for this zone area to Medium or High or clicking Custom level and then changing the setting for Use Pop-up Blocker to Enabled.

When will you see pop-up windows while Pop-up Blocker is enabled?

You will still see pop-ups windows opened in the following cases:

  • The pop-up is opened by a link that the user clicked.

  • The pop-up is opened by software that is running on the computer.

  • The pop-up is opened by ActiveX controls that are instantiated from a Web site.

  • The pop-up is opened from the Trusted Sites or Local Intranet zones and you have not expanded the scope of the Pop-up Blocker to include those zones.

Why is this change important?

Pop-ups have been misused in many ways. By blocking pop-ups, you have more control over your browsing experience.

INewWindowManager

Detailed description

By default, the Pop-up Blocker functionality does not apply to applications that host the WebBrowser control or MSHTML. These applications have the ability to use or extend Pop-up Blocker, use their own Pop-up Blocker, or disable pop-up management for their application through the INewWindowManager interface.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

Methods: window.open(), window.external.navigateAndFind(), showHelp()

Detailed description

If one of these functions normally returns a window object, then the function will return null when a window is blocked. Web developers can check for null to determine whether the window they attempted to open was blocked.

Windows that are outside the viewable screen when they are opened are positioned onto the viewable area.

Windows that are larger than the viewable screen when they are opened are resized to the viewable area.

For more information, see "Internet Explorer Window Restrictions" later in this document.

What works differently?

In the Internet zone, the Pop-up Blocker blocks windows that are automatically opened by these methods without the user clicking a link. Windows that are opened by these methods by clicking a link might also be blocked if the customer has enabled the more restrictive blocking setting.

How do I resolve these issues?

Ensure that all windows that are opened with window.open() are opened through user interaction and not automatically through your code.

What settings are added or changed in Windows Server 2003 Service Pack 1?

Pop-up Blocker Settings   

Setting name Location Previous default value Default value Possible values

URLname

HKEY_CURRENT_USER \Software\Microsoft \Internet Explorer\New Windows\Allow

None

Empty

URL names of trusted sites

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

Web page authors should check for a NULL return value for any windows that you open. This will indicate whether the pop-up window opened successfully and allow you to handle either case.

If your software opens windows automatically, they will be blocked. Look for alternative ways of doing the same thing as described earlier in this document. The best way to open a window is to have the customer click a link or graphical element.