Export (0) Print
Expand All

Chapter 4 - Security Zones

This chapter describes security zones, which allow you to effectively manage a secure environment by choosing the level of security for different zones of Internet and intranet content. Read this chapter to learn how to set up security zones within your organization.

Related Information in the Resource Kit

  • For more information about Microsoft® Internet Explorer features that help ensure user privacy, see "Users' Privacy." 

  • For more information about planning user security before installing Internet Explorer 6 and Internet Tools, see "Planning the Deployment." 

Understanding Security Zones

Security zones offer you a convenient and flexible method for managing a secure environment. You can use security zones to enforce your organization's Internet security policies, based on the origin of the Web content. Security zones enable you to:

  • Group sets of sites together. 

  • Assign a security level to each zone. 

Grouping Sets of Sites Together

Zone security is a system that enables you to divide online content into categories, or zones. You can assign specific Web sites to each zone, depending on how much you trust the content of each site. The Web content can be anything from an HTML or graphics file to a Microsoft® ActiveX® control, Java applet, or executable file.

Important You should configure the Local intranet zone to correspond to the particular network and firewall configuration of your organization. The default settings for the Local intranet zone cannot be guaranteed to match your network configuration, and there is no method for automatically detecting your firewall and configuring the zone based on your specific settings. For more information, see "Setting Up Security Zones" later in this chapter.

Internet Explorer includes the following predefined security zones:

  • Local intranet zone. The Local intranet zone includes all sites inside an organization's firewall (for computers connected to a local network). 

  • Trusted sites zone. The Trusted sites zone can include all Internet sites that you know are trusted. For example, the Trusted sites zone might contain corporate subsidiaries' sites or the site of a trusted business partner. 

  • Internet zone. The Internet zone includes all sites on the Internet that are not in the Trusted sites or Restricted sites zones. 

  • Restricted sites zone. The Restricted sites zone can include all sites that you do not trust. 

In addition, the My Computer zone includes everything on the client computer, which is typically the contents of the hard disk and removable media drive. This zone excludes cached Java classes in the Temporary Internet Files folder. You cannot configure the My Computer zone through the security zone settings in Internet Explorer. However, you can configure them by using the Internet Explorer Administration Kit (IEAK).

Assigning a Security Level to Each Zone

A security level assigned to each zone defines the level of browser access to Web content. You can choose to make each zone more or less secure. In this way, security zones can control access to a site based on the zone in which the site is located and the level of trust assigned to that zone. Also, you can choose a custom level of security, which enables you to configure settings for ActiveX controls, downloading and installation, scripting, password authentication, cross-frame security, and Java capabilities. A custom level of security also enables you to assign administrator-approved control, which runs only those ActiveX controls that you have approved for your users.

Zone Architecture

When Internet Explorer opens an HTML page, a dynamic-link library named Urlmon.dll determines the zone from which the page was loaded. To do this, Urlmon.dll performs the following two steps:

  1. Determines whether a proxy server retrieved the HTML page. If it did, Urlmon.dll automatically recognizes that the page originated on the Internet. If it did not, Urlmon.dll determines whether the page originated on your company's intranet, based on the proxy server configuration. 

  2. Checks the registry to see whether the page is from a trusted or a restricted location, and whether the security zone is set appropriately. 

Setting Up Security Zones

You can use security zones to easily provide the appropriate level of security for the various types of Web content that users are likely to encounter. For example, because you can fully trust sites on your company's intranet, you probably want users to be able to run all types of active content from this location. To provide this capability, set the Local intranet zone to a low level of security. You might not feel as confident about sites on the Internet, so you can assign a higher level of security to the entire Internet zone. This higher level prevents users from running active content and downloading code to their computers. However, if there are specific sites you trust, you can place individual URLs or entire domains in the Trusted sites zone. For other sites on the Internet that are known to be sources of potentially harmful Web content, you can select the highest restrictions.

You can accept the default security settings for each zone, or you can configure the settings based on the needs of your organization and its users. The options for configuring security zones are the same whether you gain access to them from Internet Explorer 6, the Internet Explorer Customization Wizard, or the IEAK Profile Manager.

Important When you upgrade to Internet Explorer 6, Setup maintains the existing security zone settings from previous browser versions, with two exceptions—Java and scripting are disabled in the Restricted sites zone, regardless of your existing settings. Also, because the default settings have changed for some options, your existing settings may move to a custom level of security in Internet Explorer 6.

Configuring Security Zones

You can configure security zones by using the following methods:

  • In Internet Explorer, you can use the Security tab. 

  • You can use the Internet Explorer Customization Wizard to create custom browser packages that include security zone settings for your user groups. You can also lock down these settings to prevent users from changing them. 

  • After the browser is deployed, you can use the IEAK Profile Manager to manage security zone settings through the automatic browser configuration feature of Internet Explorer. You can automatically push the updated security zone settings to each user's desktop computer, enabling you to manage security policy dynamically across all computers on the network. 

The options for configuring security zones are the same whether you access them from Internet Explorer 6, the Internet Explorer Customization Wizard, or the IEAK Profile Manager. The following procedure describes how to configure security zone settings in the browser. For more information about using the Internet Explorer Customization Wizard and the IEAK Profile Manager, see "Running the Microsoft Internet Explorer Customization Wizard," and "Keeping Programs Updated" in this Resource Kit.

To configure security zone settings

  1. On the Tools menu, click Internet Options, and then click the Security tab. 

    Dd361896.ierk401(en-us,TechNet.10).gif 

  2. Click a security zone to select it and view its current settings. 

  3. As necessary, change the following settings:

    • Security level. To change the security level for the selected zone to High, Medium, Medium-low, or Low, move the slider. The on-screen description for each level can help you decide which level to select. 

    • Sites. To add or remove Web sites from the zone, click the Sites button, and then click the Add or Remove button to customize your list of sites for the selected zone. 

    • Custom level. For more precise control of your security settings, click the Custom Level button, and then select the options you want. At any time, you can click Default Level on the Security tab to return to the original security level for the selected zone. 

The process required for setting up each security zone is described in the following sections.

Setting Up the Internet Zone

The Internet zone consists of all Web sites that are not included in the other zones. By default, the Internet zone is set to the Medium security level. If you are concerned about possible security problems when users browse the Internet, you might want to change the security level to High. If you raise the security level, Internet Explorer prevents some Web pages from performing certain potentially harmful operations. As a result, some pages might not function or be displayed properly. Rather than use the High security level, you might want to choose the Custom level so that you can control each individual security decision for the zone.

Note You cannot add Web sites to the Internet zone.

Setting Up the Local Intranet Zone

To ensure a secure environment, you must set up the Local intranet zone in conjunction with your proxy servers and firewall. All sites in this zone should be inside the firewall, and the proxy servers should be configured so that an external Domain Name System (DNS) name cannot be resolved to this zone. Configuring the Local intranet zone requires that you have a detailed knowledge of your existing networks, proxy servers, and firewalls. For more information, see the MSDN® Web site at http://msdn.microsoft.com/.

By default, the Local intranet zone consists of local domain names in addition to any domains that are specified to bypass the proxy server. You should confirm that these settings are secure for your organization and adjust the settings as necessary. When you set up the zone, you can specify the URL categories in addition to specific sites in the zone.

To set up sites in the Local intranet zone

  1. On the Tools menu, click Internet Options, and then click the Security tab. 

  2. Click the Local intranet zone. 

  3. Click Sites, and then select the following check boxes that apply:

    • Include all local (intranet) sites not listed in other zones. Intranet sites, such as http://local, have names that do not include dots. In contrast, a site name that does contain dots, such as http://www.microsoft.com, is not local. This site would be assigned to the Internet zone. The intranet site name rule applies to File URLs as well as HTTP URLs. 

    • Include all sites that bypass the proxy server. Typical intranet configurations use a proxy server to gain access to the Internet but have a direct connection to intranet servers. The setting uses this kind of configuration information to distinguish intranet from Internet content. If your proxy server is configured otherwise, you should clear this check box and then use other means to designate the Local intranet zone membership. For systems without a proxy server, this setting has no effect. 

    • Include all network paths (UNCs). Network paths (for example, \\servername\sharename\file.txt) are typically used for local network content that should be included in the Local intranet zone. If some of your network paths should not be in the Local intranet zone, clear this check box and then use other means to designate the Local intranet zone membership. In certain Common Internet File System (CIFS) configurations, for example, it is possible for a network path to reference Internet content. 

      Dd361896.ierk402(en-us,TechNet.10).gif 

  4. Click Advanced. 

  5. Type the address of the site you want to include in this zone, and then click Add

    Dd361896.ierk403(en-us,TechNet.10).gif 

  6. To require that server verification be used, select the Require server verification (https:) for all sites in this zone check box. 

The Local intranet zone is intended to be configured by using the Internet Explorer Customization Wizard or the IEAK Profile Manager, although you can also find Local intranet options on the Security tab, as described in the previous procedure. After the Local intranet zone is confirmed to be secure, consider changing the zone's security level to Low so that users can perform a wider range of operations. You can also adjust individual security settings by using the Custom level of security for this zone. If parts of your intranet are less secure or otherwise not trustworthy, you can exclude the sites from this zone by assigning them to the Restricted sites zone.

Setting Up the Trusted and Restricted Sites Zones

You can add trusted and untrusted Web sites to the Trusted sites and Restricted sites security zones. These two zones enable you to assign specific sites that you trust more or less than those in the Internet zone or the Local intranet zone. By default, the Trusted sites zone is assigned the Low security level. This zone is intended for highly trusted sites, such as the sites of trusted business partners.

If you assign a site to the Trusted sites zone, the site will be allowed to perform a wider range of operations. Also, Internet Explorer will prompt you to make fewer security decisions. You should add a site to this zone only if you trust all of its content never to perform any harmful operations on your computer. For the Trusted sites zone, Microsoft strongly recommends that you use the Hypertext Transmission Protocol, Secure (HTTPS) protocol or otherwise ensure that connections to the site are completely secure.

By default, the Restricted sites zone is assigned the High security level. If you assign a site to the Restricted sites zone, it will be allowed to perform only minimal, very safe operations. This zone is for sites that you do not trust. Because of the need to ensure a high level of security for content that is not trusted, pages assigned to this zone might not function or be displayed properly. When you install Internet Explorer 6 or upgrade to this browser version, the Restricted sites zone disables active scripting and Java applets.

A content author can create a frame or IFRAME with the "security=restricted" attribute. This attribute puts the contents of the frame or IFRAME, as well as any child frames (initiated by parent frames) that it might contain, in the Restricted sites zone. For example, if the http://a.com/ Web page contains <iframe security=restricted src="http://b.com/"></iframe> and the http://b.com/ Web page contains <iframe src="http://www.microsoft.com/"> </iframe>, both http://b.com/ and http://www.microsoft.com/ will run in the Restricted sites zone. The frame cannot run scripting or ActiveX controls, unless the user changes the default settings for the Restricted sites zone or you used the Internet Explorer Customization Wizard to override the Restricted sites zone settings for the Internet Explorer installation. Also, support for Meta-refresh (a mechanism that allows a Web page to redirect to another Web page on a timer without using script) is disabled in the Restricted sites zone.

Working with Domain Name Suffixes

You can address Web content by using either the DNS name or the Internet Protocol (IP) address. You should assign sites that use both types of addresses to the same zone. In some cases, the sites in the Local intranet zone are identifiable either by their local names or by IP addresses in the proxy bypass list. However, if you enter the DNS name but not the IP address for a site in the Trusted sites or Restricted sites zone and the site is accessed by using the IP address, that site might be treated as part of the Internet zone.

If you want to reference a Web server by using a shorter version of its address that does not include the domain, you can use a domain name suffix. For example, you can reference a Web server named sample.microsoft.com as sample. Then you can use either http://sample.microsoft.com or http://sample to view that content.

To set up this capability, you must add the domain name suffix for TCP/IP properties to the domain suffix search order.

To add the domain name suffix for TCP/IP properties to the domain suffix search order in Microsoft® Windows® XP and Microsoft® Windows® 2000

  1. In Windows XP or Windows 2000, right-click the My Network Places icon, and then click Properties

  2. Right-click the appropriate network connection, and then click Properties

  3. On the General tab (for a local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties

  4. Click Obtain DNS server address automatically if it is not already selected. 

  5. Click Advanced, and then click the DNS tab. 

  6. Click Append these DNS suffixes (in order), and then click Add

    Dd361896.ierk404(en-us,TechNet.10).gif 

  7. Type the domain suffix, and then click Add

To add the domain name suffix for TCP/IP properties to the domain suffix search order in Microsoft® Windows® 98

  1. In Windows 98, right-click the Network Neighborhood desktop icon, and then click Properties

  2. On the Configuration tab, click TCP/IP, and then click Properties

  3. Click the DNS Configuration tab, and then select Enable DNS if it is not already selected. 

  4. In the Domain Suffix Search Order box, add the search order that you want. 

    Dd361896.ierk405(en-us,TechNet.10).gif 

It is important to set up security zones correctly for this capability. By default, the URL without dots (http://sample) is considered to be in the Local intranet zone, and the URL with dots (http://sample.microsoft.com) is considered to be in the Internet zone. Therefore, if you use this capability and no proxy server bypass is available to clearly assign the content to the proper zone, you need to change the zone settings.

Depending on whether the content accessed by the domain name suffix is considered intranet or Internet content, you need to assign the ambiguous site URLs to the appropriate zones. To assign URLs, such as http://sample, to the Internet zone, clear the Include all local (intranet) sites not listed in other zones check box for the Local intranet zone, and include the site in the Internet zone.

Selecting Custom Level Settings

The Custom Level button on the Security tab gives you additional control over zone security. You can enable or disable specific security options depending on the needs of your organization and its users. For more information about how to use Custom level security options, see "Setting Up Security Zones" earlier in this chapter.

The Custom level security options for Internet Explorer are grouped into the following categories:

  • ActiveX controls 

  • Downloads 

  • Microsoft VM 

  • Miscellaneous 

  • Scripting 

  • User Authentication 

Notes If you upgrade from Internet Explorer 5.5 or an earlier browser version, Internet Explorer 6 maintains your existing Custom level security settings.

If you have Microsoft virtual machine (VM) installed and you want to configure the Custom level security options for this component, see "Permission-based Security for Microsoft Virtual Machine" in this Resource Kit.

The following table identifies the default value for each Custom level security option at each security level.

Security option

Low

Medium-low

Medium

High

 
 
 
 
 

ActiveX controls

Download signed ActiveX controls

Enable

Prompt

Prompt

Disable

Download unsigned ActiveX controls

Prompt

Disable

Disable

Disable

Initialize and script ActiveX controls not marked as safe

Prompt

Disable

Disable

Disable

Run ActiveX controls and plug-ins

Enable

Enable

Enable

Disable

Script ActiveX controls marked safe for scripting

Enable

Enable

Enable

Disable

Downloads

File download

Enable

Enable

Enable

Disable

Font download

Enable

Enable

Enable

Prompt

Miscellaneous

Access data sources across domains

Enable

Prompt

Disable

Disable

Allow META REFRESH

Enable

Enable

Enable

Disable

Display mixed content

Prompt

Prompt

Prompt

Prompt

Don't prompt for client certificate selection when no certificates or only one certificate exists

Enable

Enable

Disable

Disable

Drag and drop or copy and paste files

Enable

Enable

Enable

Prompt

Installation of desktop items

Enable

Prompt

Prompt

Disable

Launching programs and files in an IFRAME

Enable

Prompt

Prompt

Disable

Navigate sub-frames across different domains

Enable

Enable

Enable

Disable

Software channel permissions

Low safety

Medium safety

Medium safety

High safety

Submit nonencrypted form data

Enable

Enable

Prompt

Prompt

Userdata persistence

Enable

Enable

Enable

Disable

Scripting

Active scripting

Enable

Enable

Enable

Disable

Allow paste operations via script

Enable

Enable

Enable

Disable

Scripting of Java applets

Enable

Enable

Enable

Disable

User Authentication

Logon

Automatic logon with current username and password

Automatic logon only in Intranet zone

Automatic logon only in Intranet zone

Prompt for user name and password

These Custom level security options apply to Internet Explorer; other programs might not accept them. These security options are for 64-bit and 32-bit versions of the Microsoft® Windows® operating system. The following sections describe these settings in greater detail.

ActiveX Controls

The following options dictate how Internet Explorer approves, downloads, runs, and scripts ActiveX controls.

Note If a user downloads an ActiveX control from a site that is different from the page on which it is used, Internet Explorer applies the more restrictive of the two sites' zone settings. For example, if a user views a Web page within a zone that is set to permit a download, but the code is downloaded from another zone that is set to prompt a user first, Internet Explorer uses the prompt setting.

  • Download signed ActiveX controls. This option determines whether users can download signed ActiveX controls from a page in the specified zone. This option has the following settings:

    • Disable, which prevents all signed controls from downloading. 

    • Enable, which downloads valid signed controls without user intervention and prompts users to choose whether to download invalid signed controls—that is, controls that have been revoked or have expired. 

    • Prompt, which prompts users to choose whether to download controls signed by publishers who are not trusted, but still silently downloads code validly signed by trusted publishers.

For more information about trusted publishers, see "Digital Certificates" in this Resource Kit.

  • Download unsigned ActiveX controls. This option determines whether users can download unsigned ActiveX controls from the zone. This code is potentially harmful, especially when it comes from an untrusted zone. This option has the following settings:

    • Disable, which prevents unsigned controls from running. 

    • Enable, which runs unsigned controls without user intervention. 

    • Prompt, which prompts users to choose whether to allow the unsigned control to run. 

  • Initialize and script ActiveX controls not marked as safe. ActiveX controls are classified as either trusted or untrusted. This option controls whether a script can interact with untrusted controls in the zone. Untrusted controls are not meant for use on Internet pages, but in some cases they can be used with pages that can be absolutely trusted not to use the controls harmfully. Object safety should be enforced unless you can trust all ActiveX controls and scripts on pages in the zone. This option has the following settings:

    • Disable, which enforces object safety for untrusted data or scripts. ActiveX controls that cannot be trusted are not loaded with parameters or scripted. 

    • Enable, which overrides object safety. ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes Internet Explorer to initialize and script both untrusted and trusted controls and ignore the Script ActiveX controls marked safe for scripting option. 

    • Prompt, which attempts to enforce object safety. However, if ActiveX controls cannot be made safe for untrusted data or scripts, users are given the option of allowing the control to be loaded with parameters or to be scripted. 

      For more information about how to make ActiveX controls safe, see the MSDN Web site at http://msdn.microsoft.com/

  • Run ActiveX controls and plug-ins. This option determines whether Internet Explorer can run ActiveX controls and plug-ins from pages in the zone. This option has the following settings:

    • Administrator approved, which runs only those controls and plug-ins that you have approved for your users. To select the list of approved controls and plug-ins, use Internet Explorer system policies and restrictions. The Control Management category of policies enables you to manage these controls. For more information about selecting Control Management policies, see the appendix "Setting System Policies and Restrictions" in this Resource Kit. 

    • Disable, which prevents controls and plug-ins from running. 

    • Enable, which runs controls and plug-ins without user intervention. 

    • Prompt, which prompts users to choose whether to allow the controls or plug-ins to run. 

  • Script ActiveX controls marked safe for scripting. This option determines whether an ActiveX control that is marked safe for scripting can interact with a script. This option affects only controls that are loaded with <param> tags. This option has the following settings:

    • Disable, which prevents script interaction. 

    • Enable, which allows script interaction without user intervention. 

    • Prompt, which prompts users to choose whether to allow script interaction. 

      Internet Explorer ignores this option when Initialize and script ActiveX controls that are not marked safe is set to Enable, because that setting bypasses all object safety. You cannot script unsafe controls while blocking the scripting of the safe ones. 

Note In Internet Explorer 5 and earlier versions of the browser, this option was enabled for all security levels. If you upgrade to Internet Explorer 6 and you did not disable this option in your previous browser version, it will remain enabled in Internet Explorer 6.

Downloads

Download options specify how Internet Explorer handles downloads as follows:

  • File download. This option controls whether file downloads are permitted based on the zone of the Web page that contains the download link, not the zone from which the file originated. This option has the following settings:

    • Disable, which prevents files from being downloaded from the zone. 

    • Enable, which allows files to be downloaded from the zone. 

  • Font download. This option determines whether Web pages within the zone can download HTML fonts. This option has the following settings:

    • Disable, which prevents HTML fonts from being downloaded. 

    • Enable, which downloads HTML fonts without user intervention. 

    • Prompt, which prompts users to choose whether to allow the download of HTML fonts. 

Miscellaneous

These options control whether users can access data sources across domains, submit nonencrypted form data, launch applications and files from IFRAME elements, install desktop items, drag and drop files, copy and paste files, and access software channel features from this zone.

  • Access data sources across domains. This option specifies whether components that connect to data sources should be allowed to connect to a different server to obtain data. This option has the following settings:

    • Disable, which allows database access only in the same domain as the Web page. 

    • Enable, which allows database access to any source, including other domains. 

    • Prompt, which prompts users before allowing database access to any source in other domains. 

  • Allow META REFRESH. This option specifies whether Web pages can use meta-refreshes to reload pages after a preset delay. This option has the following settings:

    • Disable, which prevents Web pages from using meta-refreshes. 

    • Enable, which allows Web pages to use meta-refreshes. 

  • Display mixed content. This option specifies whether Web pages can display content from both secure and non-secure servers. This option has the following settings:

    • Disable, which prevents Web pages from displaying non-secure content. 

    • Enable, which allows Web pages to display both secure and non-secure content. 

    • Prompt, which prompts users before allowing Web pages to display both secure and non-secure content. 

  • Don't prompt for client certificate selection when no certificates or only one certificate exists. This option specifies whether users are prompted to select a certificate when no trusted certificate or only one trusted certificate has been installed on the computer. This option has the following settings:

    • Disable, which allows users to be prompted for a certificate. 

    • Enable, which prevents users from being prompted for a certificate. 

  • Drag and drop or copy and paste files. This option controls whether users can drag and drop, or copy and paste, files from Web pages within the zone. This option has the following settings:

    • Disable, which prevents users from dragging and dropping files, or copying and pasting files, from the zone. 

    • Enable, which enables users to drag and drop files, or copy and paste files, from the zone without being prompted. 

    • Prompt, which prompts users to choose whether they can drag and drop files, or copy and paste files, from the zone. 

  • Installation of desktop items. This option controls whether users can install desktop items from Web pages within the zone. This option has the following settings:

    • Disable, which prevents users from installing desktop items from this zone. 

    • Enable, which enables users to install desktop items from this zone without being prompted. 

    • Prompt, which prompts users to choose whether they can install desktop items from this zone. 

  • Launching programs and files in an IFRAME. This option controls whether users can launch programs and files from an IFRAME element (containing a directory or folder reference) in Web pages within the zone. This option has the following settings:

    • Disable, which prevents programs from running and files from downloading from IFRAME elements on Web pages in the zone. 

    • Enable, which runs programs and downloads files from IFRAME elements on Web pages in the zone without user intervention. 

    • Prompt, which prompts users to choose whether to run programs and download files from IFRAME elements on Web pages in the zone. 

  • Navigate sub-frames across different domains. This option controls whether readers of a Web page can navigate the sub-frame of a window with a top-level document that resides in a different domain. This option has the following settings:

    • Disable, which allows users to navigate only between Web page sub-frames that reside in the same domain. 

    • Enable, which allows users to navigate between all Web page sub-frames, regardless of the domain, without being prompted. 

    • Prompt, which prompts users to choose whether to navigate between Web page sub-frames that reside in different domains. 

  • Software channel permissions. This option controls the permissions given to software distribution channels. This option has the following settings:

    • High safety, which prevents users from being notified about software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers. 

    • Low safety, which notifies users about software updates by e-mail, allows software packages to be automatically downloaded to users' computers, and allows software packages to be automatically installed on users' computers. 

    • Medium safety, which notifies users about software updates by e-mail and allows software packages to be automatically downloaded to (but not installed on) users' computers. The software packages must be validly signed; users are not prompted about the download. 

  • Submit nonencrypted form data. This option determines whether HTML pages in the zone can submit forms to or accept forms from servers in the zone. Forms sent with Secure Sockets Layer (SSL) encryption are always allowed; this setting only affects data that is submitted by non-SSL forms. This option has the following settings:

    • Disable, which prevents information from forms on HTML pages in the zone from being submitted. 

    • Enable, which allows information from forms on HTML pages in the zone to be submitted without user intervention. 

    • Prompt, which prompts users to choose whether to allow information from forms on HTML pages in the zone to be submitted. 

  • Userdata persistence. This option determines whether a Web page can save a small file of personal information associated with the page to the computer. This option has the following settings:

    • Disable, which prevents a Web page from saving a small file of personal information to the computer. 

    • Enable, which allows a Web page to save a small file of personal information to the computer. 

Scripting

Scripting options specify how Internet Explorer handles scripts.

  • Active scripting. This option determines whether Internet Explorer can run script code on Web pages in the zone. This option has the following settings:

    • Disable, which prevents scripts from running. 

    • Enable, which runs scripts without user intervention. 

    • Prompt, which prompts users about whether to allow the scripts to run. 

  • Allow paste operations via script. This option determines whether a Web page can cut, copy, and paste information from the Clipboard. This option has the following settings:

    • Disable, which prevents a Web page from cutting, copying, and pasting information from the Clipboard. 

    • Enable, which allows a Web page to cut, copy, and paste information from the Clipboard without user intervention. 

    • Prompt, which prompts users about whether to allow a Web page to cut, copy, or paste information from the Clipboard. 

  • Scripting of Java applets. This option determines whether scripts within the zone can use objects that exist within Java applets. This capability allows a script on a Web page to interact with a Java applet. This option has the following settings:

    • Disable, which prevents scripts from accessing applets. 

    • Enable, which allows scripts to access applets without user intervention. 

    • Prompt, which prompts users about whether to allow scripts to access applets. 

User Authentication

The User Authentication option controls how HTTP user authentication is handled.

  • Logon. This option has the following settings:

    • Anonymous logon. Disables HTTP authentication and uses the guest account only for authentication using the Common Internet File System (CIFS) protocol. 

    • Automatic logon only in Intranet zone. Prompts users for user IDs and passwords in other zones. After users are prompted, these values can be used silently for the remainder of the session. 

    • Automatic logon with current username and password. Attempts logon using Windows NT Challenge Response (also known as NTLM authentication), an authentication protocol between the client computer and the application server. If Windows NT Challenge Response is supported by the server, the logon uses the network user name and password for logon. If the server does not support Windows NT Challenge Response, users are prompted to provide their user names and passwords. 

      For information about other secure connection options, see "Users' Privacy" in this Resource Kit. 

    • Prompt for user name and password. Prompts users for user IDs and passwords. After users are prompted, these values can be used silently for the remainder of the session. 


Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft