Export (0) Print
Expand All
46 out of 83 rated this helpful - Rate this topic

Internet Explorer Security Options

With Internet Explorer security zones, you can specify security options for Web content. A zone is a collection of Web sites to which you assign the same level of trust. You add a Web site to a specific zone and then set the appropriate security options for that zone.

You can adjust the Internet Explorer default settings to best match the security features of your system. For a secure intranet, for example, you can usually adjust the security setting to Low or an appropriate custom setting (after the Local intranet zone is configured to match the firewall).

All security options apply to the Internet Explorer browser; they are not system-wide. Other Internet programs may or may not respect these options.

To set corporate security options, you must modify the settings by using the IEAK. The user views security options in the browser by clicking the Tools menu, clicking Internet Options, and then clicking the Security tab. To see custom settings, the user selects a security zone and then clicks Custom Level.

ActiveX controls and plug-ins

These options control how ActiveX controls and plug-ins are administrator-approved, downloaded, run, and scripted. For more information about managing and approving ActiveX controls, see Managing ActiveX Controls.

When a user downloads an ActiveX control from a site different than the site the control is used on, Internet Explorer uses the more restrictive of the two sites' zone settings. For example, if a user is viewing a Web page within a zone that is set to allow (Enable) a download, but the code is downloaded from another zone that is set to prompt the user first, then the prompt setting is used.

Script ActiveX controls marked safe for scripting

This option determines whether an ActiveX control marked safe for scripting can interact with a script. Note that safe-for-initialization controls loaded with PARAM tags are not affected by this option. This option is ignored when Initialize and script ActiveX controls not marked as safe is set to Enable because the setting bypasses all object safety. You cannot script unsafe controls while blocking the scripting of the safe ones.

Initialize and script ActiveX controls not marked as safe

ActiveX controls are classified as being either safe or unsafe. This option controls whether or not a script is allowed to interact with unsafe controls. Unsafe controls are not meant for use on Internet Web pages, but in some cases may be used with pages that can absolutely be trusted not to use the controls in a malicious way. Object safety should be enforced unless all ActiveX controls and scripts that might interact with pages in this zone can be trusted. The settings are as follows:

Run ActiveX controls and plug-ins

This option determines whether ActiveX controls and plug-ins can be run on pages from the specified zone. Disabling this option prevents running any ActiveX controls or plug-ins; therefore, the other ActiveX settings are ignored. Downloading, running, and scripting ActiveX controls are three distinct steps with options that apply to each separate step. Downloading options distinguish between signed and unsigned controls. Scripting options can be set for safe and unsafe controls separately. Whether a control is safe for scripting (or initialization) is determined by the control author and should not be confused with signing; signing and safety are independent. For more information, see the MSDN Online Web Workshop.

Download signed ActiveX controls

This option allows users to download signed ActiveX controls from pages in this zone. The settings are as follows:

  • Enable lets users silently download any signed controls.

  • Prompt displays a warning before users download controls signed by publishers that are not trusted. This setting still enables users to download trusted publisher-signed code silently.

  • Deny prevents users from downloading any signed controls.

Download unsigned ActiveX controls

This option allows users to download unsigned ActiveX controls from pages in this zone. This kind of code is potentially dangerous, especially when coming from an untrusted zone.

  • Enable overrides object safety. ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • Prompt attempts to enforce object safety. However, if the ActiveX control cannot be made safe for untrusted data or scripts, then the user is given the option of allowing the control to be loaded with parameters or scripted.

  • Disable enforces object safety for untrusted data or scripts. ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Understanding Java

Java permissions

You must have the Microsoft virtual machine (Microsoft VM) installed before the Java options are available.

These options control the downloading and running of Java within the zone. For Java downloads, if a control is downloaded from a different site than the page it is used on, the more restrictive setting of the two sites' zone settings is used. For example, if a user is accessing a Web page within a zone that is set to allow a download, but the code is downloaded from another zone that is set to prompt a user first, then the prompt setting is used.

Each option setting determines the following:

  • The maximum permission level silently granted to signed applets downloaded from the zone

  • The permissions granted to unsigned applets downloaded from the zone

  • The permissions granted to scripts on pages in the zone that call into applets

The five options are:

  • Custom controls permissions settings individually. In the Custom Permissions dialog box, the Unsigned tab specifies the permissions for both unsigned applets and for scripts calling Java. The Allowed Without Warning tab specifies the threshold up to which applets will silently be granted permissions.

  • Low Safety enables applets to perform all operations unhindered.

  • Medium Safety enables applets to run in their sandbox, an area in memory outside of which the program cannot make calls. It also enables capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file Input/Output.

  • High Safety enables applets to run in their sandbox.

  • Disable Java does not allow any applets to run.

Understanding scripting

Active scripting

This option determines whether script code on pages in this zone is run.

Scripting of Java applets

This option determines whether scripts within the zone are allowed to use objects that exist within Java applets, allowing the script on the page to interact with the Java applet.

Understanding downloads

File Download

This option controls whether file downloads are permitted from within this zone. This option is determined by the zone of the page that contains the download link, not the zone from which the file is delivered.

Font download

This option determines whether users can download HTML fonts from pages within this zone.

Understanding user authentication

Logon

HTTP authentication honors the zone security policy for Logon credentials, which may have one of four values:

  • Automatic logon only in intranet zone. Prompts for user ID and password in other zones. After the user is prompted, this value can be used silently for the remainder of the session.

  • Anonymous Logon. Disables HTTP authentication; uses guest account only for Common Internet File System (CIFS).

  • Prompt for username and password. Prompts for user ID and password. After the user is prompted, this value may be used silently for the remainder of the session.

  • Automatic logon with current username and password. The logon credential may be tried silently by Windows NT Challenge response (NTLM), an authentication protocol between an end-user client and application server, before prompting.

Understanding miscellaneous information

Access data sources across domains

This option specifies whether components that connect to data sources should be allowed to connect to a different server to obtain data. This applies only to data binding, such as active data objects. The settings are as follows:

  • Enable allows database access to any source, even other domains.

  • Prompt prompts users before allowing database access to any source in other domains.

  • Disable allows database access only to the same domain as the page.

Submit non-encrypted form data

This option specifies whether HTML pages in the zone can submit forms to or accept forms from servers in the zone. Forms sent with Secure Sockets Layer(SSL) encryption are always allowed; this setting affects only non-SSL form data submission.

Launching applications and files in an IFrame

This option controls whether users can launch applications and files from an IFRAME tag (containing a directory of a folder) in Web pages within this zone.

Installation of desktop items

This option controls whether users can install desktop items from Web pages within this zone.

Drag-and-drop or copy and paste files

This option controls whether users can drag or copy files from Web pages within this zone.

Software permissions

The settings are as follows:

Low safety allows:

  • E-mail notification

  • Auto download

  • Auto installation

Medium safety allows:

  • E-mail notification

  • Auto download

High safety allows:

  • None of the software distribution features

Understanding cookies

Allow per-session cookies (not stored)

Determines the settings for cookies, text files that store the user's preferences, that are used by a Web site while the user is visiting the site. For example, this setting would determine whether a "virtual shopping cart" could be created while a user is shopping online. Per-session cookies do not remain on the hard disk.

The settings are as follows:

  • Enable means that cookies are automatically accepted.

  • Prompt means that users receive a prompt before a cookie is created.

  • Disable means that no cookies can be created. If you disable per-session cookies, some Web sites may not work properly.

Allow cookies that are stored on your computer

Determines the settings for cookies that are stored on the user's hard drive for future browsing sessions. For example, this setting would determine whether a list of preferences or a user's name was retained for the user's next visit.

The settings are as follows:

  • Enable means that persistent cookies are automatically accepted.

  • Prompt means that users receive a prompt before a persistent cookie is created.

  • Disable means that no persistent cookies can be created. If you disable persistent cookies, some Web sites do not retain their settings when the user returns to the site.

Security options that cannot be configured

The following options are fixed and cannot be set by the user. High, Medium, Medium-low, and Low zone settings do not change the behavior of these options.

Launch From Webview

This option controls whether users can start programs and files from a folder viewed as a Web page. This setting applies to Windows 98 users and to users who upgraded from Internet Explorer 4 and are using the Windows Desktop Update. The zone of the customizing Web content, not the zone of the folder itself, determines the setting:

My Computer

Local Intranet

Trusted Sites

Internet

Restricted Sites

Enable

Enable

Enable

Prompt

Prompt


Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.