Internet Explorer 6.0 and Internet Communication (Windows Server 2003)
Applies To: Windows Server 2003 with SP1
Internet Explorer 6.0
This section provides information about:
The benefits of Microsoft Internet Explorer 6.0 in products in the Windows Server 2003 family.
A description of Internet Explorer Enhanced Security Configuration, which is enabled by default when you install a product in the Windows Server 2003 family.
Examples of security-related configuration features offered in Internet Explorer 6.0 in products in the Windows Server 2003 family (as compared to Internet Explorer 5).
Procedures for working with security-related settings in Internet Explorer.
Resources for learning about topics related to security in Internet Explorer 6.0.
Note
This section of the white paper describes Internet Explorer 6.0 in general, but it does not describe Outlook Express (the e-mail component in Internet Explorer 6.0), the New Connection Wizard, or the error reporting tool in Internet Explorer. For information about these components, see the respective sections of this white paper (the error reporting tool in Internet Explorer is described in Windows Error Reporting and Internet Communication (Windows Server 2003) in this white paper). Also note that the New Connection Wizard replaces the Network Connection Wizard and the Internet Connection Wizard in Windows 2000.
It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where you use browsers on servers to connect to Web sites, run software from the Internet, download items from the Internet, and perform similar actions. This section, however, provides overview information as well as suggestions for other sources of information.
Benefits and Purposes of Internet Explorer 6.0
Internet Explorer 6.0 is designed to make it easy to browse and interact with sites on an intranet or on the Internet. It differs from many of the other components described in this white paper in that its main function is to communicate with sites on the Internet or an intranet (which contrasts with components that communicate with the Internet in the process of supporting some other activity).
Internet Explorer 6.0 is also designed to be highly configurable, with security and privacy settings that can protect your organization's networked assets while at the same time providing access to useful information and tools. In addition, Internet Explorer Enhanced Security Configuration, which is enabled by default when you install a product in the Windows Server 2003 family, helps make your computer more secure by limiting its exposure to malicious Web sites.
With this enhanced level of security, however, you might find that some Web sites are not displayed correctly in Internet Explorer when you are browsing from a server. Also, you might be prompted to enter your credentials when accessing network resources, such as files in shared folders with Universal Naming Convention (UNC) names. You can easily change the enhanced security settings.
If you want to establish a specific configuration on servers (instead of using Internet Explorer Enhanced Security Configuration), Internet Explorer 6.0 offers more security-related configuration options and settings than were available in Internet Explorer 5. The subsections that follow provide more information about Internet Explorer Enhanced Security Configuration and about the security-related configuration options and settings in Internet Explorer 6.0.
Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration is enabled by default when you install a product in the Windows Server 2003 family. With this configuration, each zone uses a higher security setting than was used by default in Windows 2000. You can easily change the enhanced security settings.
The following table outlines some of the differences that Internet Explorer Enhanced Security Configuration makes in security settings on a server. (For a description of zones, see "Examples of Security-Related Features Offered in Internet Explorer 6.0," later in this section.)
Security settings with and without Internet Explorer Enhanced Security Configuration
| Zone | With Internet Explorer Enhanced Security Configuration | Without Internet Explorer Enhanced Security Configuration (the same security levels as Windows 2000) |
|---|---|---|
Internet zone |
High security settings |
Medium security settings |
Trusted sites zone |
Medium security settings |
Low security settings |
Local intranet zone |
Medium-low security settings (intranet sites are not automatically detected) |
Medium-low security settings (intranet sites are automatically detected) |
Also, with Internet Explorer Enhanced Security Configuration, several sites are added automatically to specific zones:
The Windows Update Web site is added to the Trusted sites zone. This allows you to continue to get important updates for your operating system. For more information about Windows Update, see the Windows Update, Automatic Updates, and Internet Communication (Windows Server 2003) section of this white paper.
The Windows Error Reporting site is added to the Trusted sites zone. This allows you to report problems you encounter with your operating system and search for fixes. For more information about Windows Error Reporting, see Windows Error Reporting and Internet Communication (Windows Server 2003) in this white paper.
Several local computer sites (for example, https://localhost, https://localhost, hcp://system) are added to the Local intranet zone. This allows applications and code to work locally so that you can complete common administrative tasks.
You can enable or disable the Internet Explorer Enhanced Security Configuration for administrators, all other user groups, or both. For more information, see "To remove Internet Explorer Enhanced Security Configuration and restore the default Internet Explorer 6.0 security settings," later in this section.
For more information about Internet Explorer Enhanced Security Configuration, see the resources listed in "Learning about Internet Explorer Enhanced Security Configuration," later in this section.
Examples of Security-Related Features Offered in Internet Explorer 6.0
This subsection describes enhancements in some of the security-related features in Internet Explorer 6.0, as compared to Internet Explorer 5. These features include:
A Privacy tab that provides greater flexibility in specifying whether cookies will be blocked from specific sites or types of sites. An example of a type of site that could be blocked is one that does not have a compact policy, that is, a condensed computer-readable privacy statement. (The Privacy tab was not available in Internet Explorer 5.)
Security settings that specify how Internet Explorer 6.0 handles such higher-risk items as ActiveX controls, downloads, and scripts. You can accept the settings in Internet Explorer Enhanced Security Configuration, you can customize these settings as needed, or you can set them to the predefined levels of high, medium, medium-low, or low. You can specify different settings for a number of zones, the most basic being the four preconfigured zones:
Local intranet zone: Normally contains only addresses inside your proxy server. (Note that when Internet Explorer Enhanced Security Configuration is enabled, intranet sites are not automatically detected.)
Trusted sites: Includes sites you designate as "trusted."
Restricted sites: Includes sites you designate as "restricted."
Internet zone: Includes everything that is not in another zone and is not on the local computer.
You can also specify different settings for customized zones that you add programmatically using the URL security zones application programming interface (API). For more information, search for "URL security zones" on the MSDN Web site at:
Support for content-restricted IFrames (inline floating frames). This type of support enables developers to implement these frames in a way that makes it more difficult for malicious authors to start e-mail or content-based attacks.
Improvements that increase the overall security and reliability of Internet Explorer 6.0.
For more information about features available in Internet Explorer, see "Resources for Learning About Topics Related to Security in Internet Explorer 6.0," later in this section, as well as the Internet Explorer page on the Microsoft Web site at:
https://www.microsoft.com/windows/ie/
Procedures for Working with Security-Related Settings in Internet Explorer
This subsection describes how to carry out the following:
View security settings for zones in Internet Explorer
Locate Group Policy objects (GPOs) that affect Internet Explorer, and view related Help
Determine whether Internet Explorer Enhanced Security Configuration is enabled on a specific server
Remove Internet Explorer Enhanced Security Configuration and restore the default Internet Explorer 6.0 security settings
To view security settings for zones in Internet Explorer
On the server on which you want to view settings, start Internet Explorer by your preferred method, for example, by clicking the Internet Explorer icon on the taskbar.
On the Tools menu, click Internet Options.
Click the Security tab.
Select the zone for which you want to view security settings:
Internet
Local intranet
Trusted sites
Restricted sites
To locate Group Policy objects (GPOs) that affect Internet Explorer
Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.
Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Internet Explorer.
View the available settings.
Click User Configuration, click Windows Settings, and then click Internet Explorer Maintenance.
View the available settings.
Click User Configuration, click Administrative Templates, click Windows Components, and then click Internet Explorer.
View the available settings.
To determine whether Internet Explorer Enhanced Security Configuration is enabled on a specific server
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Add or Remove Programs.
Click Add/Remove Windows Components (on the left).
Scroll down to Internet Explorer Enhanced Security Configuration. If the check box is selected, it is enabled. If the check box is cleared, it is not enabled.
If you want to see whether Internet Explorer Enhanced Security Configuration is enabled for administrator groups, all other user groups, or both, select Internet Explorer Enhanced Security Configuration, and then click Details.
To remove Internet Explorer Enhanced Security Configuration and restore the default Internet Explorer 6.0 security settings
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Add or Remove Programs.
Click Add/Remove Windows Components (on the left).
Click Internet Explorer Enhanced Security Configuration, and then do one of the following:
To remove Internet Explorer Enhanced Security Configuration for both administrators and all other users, clear the Internet Explorer Enhanced Security Configuration check box, and then click Next.
To remove Internet Explorer Enhanced Security Configuration for administrators only or for users who are not in an administrator group, click Details, clear either the For administrator groups check box or the For all other user groups check box, and then click Next.
Follow the instructions to complete the Windows Components Wizard.
Resources for Learning About Topics Related to Security in Internet Explorer 6.0
This subsection lists resources that can help you learn about the following topics related to security in Internet Explorer 6.0:
Internet Explorer Enhanced Security Configuration
Security and privacy settings available in Internet Explorer 6.0
Methods for mitigating the risks inherent in Web-based programs and scripts
Ways to use Group Policy objects that control configuration settings for Internet Explorer 6.0
The Internet Explorer Administration Kit
In addition, for information about unattended installation, see the resources listed in Appendix A: Resources for Learning About Automated Installation and Deployment (Windows Server 2003).
Note
For information about Internet Explorer on clients running Windows XP Professional with Service Pack 2, that is, for information similar to what is provided in this white paper but focused on clients instead of servers, see "Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=29133.
Learning about Internet Explorer Enhanced Security Configuration
For more information about Internet Explorer Enhanced Security Configuration, see one of the following:
The informational pages displayed in Internet Explorer after you install a product in the Windows Server 2003 family. To view these pages, start Internet Explorer after completing the installation.
Help topics in Internet Explorer. To view these topics, start Internet Explorer, click Help, and then click Enhanced Security Configuration.
Help topics in Help and Support Center. To view these topics, start Internet Explorer, click Start, click Help and Support, and search for "enhanced security configuration."
Learning about security and privacy settings in Internet Explorer 6.0
An important source of detailed information about security and privacy settings in Internet Explorer 6.0 is the Microsoft Internet Explorer 6 Resource Kit. To learn about this and other Resource Kits, see the Microsoft TechNet Web site at:
https://go.microsoft.com/fwlink/?linkid=29894
The Microsoft Internet Explorer 6 Resource Kit consists of a number of parts that include these titles:
"Privacy and Security Features"
"Preparation for Deployment"
"Customization and Installation"
"Maintenance and Support," including information about keeping programs updated
Appendices, including an appendix titled "Setting System Policies and Restrictions"
You can also use the following sources for information about security and privacy settings in Internet Explorer 6.0:
Help for Internet Explorer (with Internet Explorer open, click the Help menu and select an appropriate option).
The Internet Explorer page on the Microsoft Web site at:
Learning about mitigating the risks inherent in Web-based programs and scripts
In a network-based and Internet-based environment, programs can take a variety of forms including scripts within documents, scripts within e-mail, or programs or other code objects running within Web pages. These programs can move across the Internet and are sometimes referred to as "mobile code." Configuration settings provide ways for you to control the way Internet Explorer 6.0 responds when someone tries to run a particular code object on a server running a product in the Windows Server 2003 family. Two examples of the ways you can customize the Internet Explorer configuration are as follows:
You can control the code (ActiveX controls, scripts, and so on) that administrators or operators can run. You can do this by customizing Authenticode® settings, which can, for example, prevent administrators or operators from running any unsigned code or enable them to only run code signed by specific authors.
If you want to permit the use of ActiveX controls, but you do not want administrators or operators to download code directly from the Internet, you can specify that when Internet Explorer 6.0 looks for a requested executable, it goes to your own internal Web site instead of the Internet. For more information, see the white paper titled "Managing Mobile Code with Microsoft Technologies," at the end of this list, and search for "CodeBaseSearchPath."
You can use the following sources to learn more about mitigating the risks inherent in Web-based programs and scripts:
To understand more about how a particular Microsoft programming or scripting language works, see the Microsoft Developer Network Web site at:
To learn about approaches to mitigating the risks presented by mobile code, see "Managing Mobile Code with Microsoft Technologies," a white paper on the Technet Web site at:
Learning about Group Policy objects that control configuration settings for Internet Explorer 6.0
You can control configuration settings for Internet Explorer 6.0 by using Group Policy objects (GPOs). (You can also control the configuration of Internet Explorer by using the Internet Explorer Administration Kit; for more information, see "Learning about the Internet Explorer Administration Kit," later in this section.) For sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy (Windows Server 2003).
Learning about the Internet Explorer Administration Kit
With the deployment technologies available in the Internet Explorer Administration Kit (IEAK), you can efficiently deploy Internet Explorer and control the configuration of Internet Explorer across your organization. (You can also control the configuration of Internet Explorer by using Group Policy; for more information, see "Learning about Group Policy objects that control configuration settings for Internet Explorer 6.0," earlier in this section.)
A few of the features and resources in the IEAK include:
Internet Explorer Customization Wizard. Step-by-step screens guide you through the process of creating customized browser packages that can be installed on client desktops.
IEAK Profile Manager. After you deploy Internet Explorer, you can use the IEAK Profile Manager to change browser settings and restrictions automatically.
IEAK Toolkit. The IEAK Toolkit contains a variety of helpful tools, programs, and sample files.
IEAK Help. IEAK Help includes many conceptual and procedural topics that you can view by using the Index, Contents, and Search tabs. You can also print topics from IEAK Help.
For more information about the IEAK, see the IEAK Web site at: