Internet Explorer 6

(Note: This topic describes not just Windows XP Professional with Service Pack 2, but also Windows XP Professional with Service Pack 3.)

On This Page

Introduction
Benefits and Purposes of Internet Explorer 6
Steps for Planning and Deploying Configurations for Internet Explorer 6
Examples of the Security-Related Features Offered in Internet Explorer 6
Resources for Learning About Topics Related to Security in Internet Explorer 6
Procedures for Controlling Internet Explorer in Windows XP with SP2

Introduction

This section provides information that can help you plan and deploy configurations for Internet Explorer 6 in a way that balances your users’ requirements for Internet access with your organization’s requirements for protection of networked assets. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users connect to Web sites, run software from the Internet, download items from the Internet, and perform similar actions. This section, however, provides overview information as well as suggestions for other sources of information.

Notes

• This section of the white paper describes Internet Explorer 6, but does not describe the related components Outlook Express 6 (the email component in Windows XP), the New Connection Wizard, or the error reporting tool in Internet Explorer. For information about these components, see the respective sections of this white paper (the error reporting tool in Internet Explorer is described in the "Windows Error Reporting" section of this white paper).

• Also note that the New Connection Wizard replaces the Network Connection Wizard and the Internet Connection Wizard in Windows 2000.

For more information about Internet Explorer, see the following resources:

• Help for Internet Explorer (with Internet Explorer open, click the Help menu and select an appropriate option)

• The Internet Explorer page on the Microsoft Web site at:

  https://www.microsoft.com/windows/ie/

• The Resource Kit for Internet Explorer. To learn about this and other Resource Kits, see the Microsoft TechNet Web site at:

  https://go.microsoft.com/fwlink/?linkid=29894

• The privacy statement for the version of Internet Explorer in Windows XP SP2. This privacy statement is on the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?LinkId=28456

Benefits and Purposes of Internet Explorer 6

Internet Explorer 6 in Windows XP Professional with SP2 is designed to make it easy to browse and interact with sites on an intranet or on the Internet. It differs from most of the other components described in this white paper in that its main function is to communicate with sites on the Internet or an intranet (which contrasts with components that communicate with the Internet in the process of supporting some other activity).

Internet Explorer 6 is also designed to be highly configurable, with security and privacy settings that can protect your organization’s networked assets while at the same time providing users with access to useful information and tools.

Internet Explorer 6 offers more security-related options and settings than were available in Internet Explorer 5. With an understanding of the settings and options available in Internet Explorer 6, you can choose the settings appropriate to your organization’s requirements and create a plan for one or more standard Internet Explorer configurations. After planning your standard configurations, you can use deployment tools to deploy and maintain them. The subsections that follow provide more information about these steps.

Steps for Planning and Deploying Configurations for Internet Explorer 6

This section outlines a list of steps that can help you deploy Internet Explorer 6 in a way that provides users with Internet access, while at the same time providing your organization’s networked assets with an appropriate level of protection from the risks inherent in the Internet. (If you prefer to remove all visible entry points to Internet Explorer, see "Procedures for Removing Visible Entry Points to Internet Explorer in Windows XP with SP2," later in this section.)

A recommended set of steps is:

• Assess the other elements in your security plan that will work together with Internet Explorer 6 to provide users with access to the Internet while still providing an appropriate degree of protection for your organization’s networked assets. These elements include:

  • Your proxy server.

  • Your firewall.

  • Your basic security measures, as described in the introduction to this white paper. These security measures include using virus-protection software and setting requirements for strong passwords.

  It is beyond the scope of this white paper to provide detailed recommendations for these security elements. For more information about security, see the references listed in the introduction, as well as the documentation for your proxy server, firewall, virus-protection software, and other software you use to protect networked assets.

• Learn about the security-related features offered in Internet Explorer 6, some of which are described in "Examples of the Security-Related Features Offered in Internet Explorer 6," later in this section. Using information about these features, identify the ones of most value for your business and security requirements.

• Learn how to configure security settings in Internet Explorer 6, as described in "Learning About Security and Privacy Settings in Internet Explorer 6," later in this section.

• Learn about ways to mitigate the risks inherent in code that can be run through a browser, as described in "Learning About Mitigating the Risks Inherent in Web-based Applications and Scripts," later in this section.

• After gathering information about the previous three items (security-related features, security settings, risks inherent in code), plan one or more standard Internet Explorer configurations for the desktops in your organization.

• Learn about ways of deploying configurations of Internet Explorer 6 across your organization:

  • Learn about using Group Policy to control the configuration of Internet Explorer 6 on desktops across your organization, as described in "Learning About Group Policy Objects That Control Configuration Settings for Internet Explorer 6," later in this section.

  • Learn about the deployment technologies available in the Internet Explorer Administration Kit (IEAK) 6 SP1, some of which are described in "Learning About the Internet Explorer Administration Kit," later in this section.

  Using the information about Group Policy and the IEAK, create a plan for deploying and maintaining your standard Internet Explorer configurations.

Excluding Internet Explorer 6 from the Desktop

For information about removing visible entry points to Internet Explorer 6 in Windows XP Professional with SP2, see "Procedures for Removing Visible Entry Points to Internet Explorer 6 in Windows XP Professional with SP2," later in this section.

Examples of the Security-Related Features Offered in Internet Explorer 6

This subsection describes enhancements in some of the security-related features in Internet Explorer 6, as compared to Internet Explorer 5. These features include:

• A Privacy tab that provides greater flexibility in specifying whether cookies will be blocked from specific sites or types of sites. An example of a type of site that could be blocked is one that does not have a compact policy—that is, a condensed computer-readable privacy statement. (The Privacy tab was not available in Internet Explorer 5.)

• Security settings that specify how Internet Explorer 6 handles such higher-risk items as ActiveX controls, downloads, and scripts. These settings can be customized as needed, or they can be set to these predefined levels: high, medium, medium-low, or low. You can specify different settings for a number of zones, the most basic being the four preconfigured zones:

  • Local intranet zone: Contains addresses inside the boundary defined by your proxy server or firewall.

  • Trusted sites: Includes sites you designate as "trusted."

  • Restricted sites: Includes sites you designate as "restricted."

  • Internet zone: Includes everything that is not in another zone and is not on the local computer.

  You can also specify different settings for the customized zones that you add programmatically using the URL security zones application programming interface (API). For more information, search for "URL security zones" on the MSDN Web site at:

  https://msdn.microsoft.com/

• Support for content-restricted IFrames (inline floating frames). This type of support enables developers to implement these frames in a way that makes it more difficult for malicious authors to start e-mail-based or content-based attacks.

• Improvements in Windows XP Service Pack 2 (SP2) that increase the overall security and reliability of Internet Explorer 6. These improvements include a configurable pop-up blocker, an interface from which you can manage add-ons (programs that extend the capabilities of the browser), and enhancements to other security features.

For more information about features available in Internet Explorer, see the information in the next subsection, as well as the Internet Explorer page on the Microsoft Web site at:

https://www.microsoft.com/windows/ie/

Resources for Learning About Topics Related to Security in Internet Explorer 6

This subsection lists resources that can help you learn about the following topics related to security in Internet Explorer 6:

• Security and privacy settings available in Internet Explorer 6

• Methods for mitigating the risks inherent in Web-based programs and scripts

• Ways to use Group Policy objects that control configuration settings for Internet Explorer 6

• The Internet Explorer Administration Kit

In addition, for information about unattended installation, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment."

Learning About Security and Privacy Settings in Internet Explorer 6

Two important sources of detailed information about the security and privacy settings in the version of Internet Explorer 6 in Windows XP with SP2 are as follows:

• “Changes to Functionality in Microsoft Windows XP Service Pack 2,” which contains information about the pop-up blocker, the interface from which you can manage add-ons (programs that extend the capabilities of the browser), and enhancements to other security features. This document is available on the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?LinkId=30566

• Microsoft Internet Explorer 6 Resource Kit

  To learn about this and other resource kits, see the Microsoft TechNet Web site at:

  https://go.microsoft.com/fwlink/?linkid=29894

  The Microsoft Internet Explorer 6 Resource Kit consists of a number of parts that include these titles:

  • "Privacy and Security Features"

  • "Preparation for Deployment"

  • "Customization and Installation"

  • "Maintenance and Support," including information about keeping programs updated

  • Appendices, including an appendix titled "Setting System Policies and Restrictions"

• The privacy statement for the version of Internet Explorer in Windows XP SP2. This privacy statement is on the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?LinkId=28456

Learning About Mitigating the Risks Inherent in Web-based Applications and Scripts

In a network-based and Internet-based environment, code can take a variety of forms including scripts within documents, scripts within e-mail messages, or applications or other code objects running within Web pages. This code can move across the Internet and is sometimes referred to as "mobile code." Configuration settings provide ways for you to control the way Internet Explorer 6 responds when a user tries to run mobile code. Two examples of the ways you can customize the Internet Explorer configuration deployed in your organization are as follows:

Two examples of the ways you can customize the Internet Explorer configuration deployed in your organization are as follows:

• You can control the code (in ActiveX controls or in scripts, for instance) that users can run. You can do this by customizing Authenticode® settings, which can, for example, prevent users from running any unsigned code or enable them to only run code signed by specific authors.

• If you want to permit the use of ActiveX controls, but you do not want users to download code directly from the Internet, you can specify that when Internet Explorer 6 looks for a requested executable, it goes to your own internal Web site instead of the Internet. For more information, see the white paper titled "Managing Mobile Code with Microsoft Technologies" at the end of this list, and search for “CodeBase”.

You can use the following sources to learn more about mitigating the risks inherent in Web-based applications and scripts:

• To understand more about how a particular Microsoft programming or scripting language works, see the MSDN Web site at:

  https://msdn.microsoft.com/

• To learn about approaches to mitigating the risks presented by mobile code, see "Managing Mobile Code with Microsoft Technologies," a white paper on the TechNet Web site at:

  https://go.microsoft.com/fwlink/?linkid=29170

Learning About Group Policy Objects That Control Configuration Settings for Internet Explorer 6

You can control configuration settings for Internet Explorer 6 by using Group Policy objects (GPOs) on servers running Windows Server 2003. (You can also control the configuration of Internet Explorer by using the Internet Explorer Administration Kit. For more information, see "Learning about the Internet Explorer Administration Kit," later in this section.) For sources of information about Group Policy, see the appropriate appendices in this white paper.

To learn about specific Group Policy settings that can be applied to computers running Windows XP Professional with SP2, see the following two sources of information:

• “Changes to Functionality in Microsoft Windows XP Service Pack 2” on the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?LinkId=30566

• The Group Policy Settings Reference on the Microsoft Download Center Web site at:

  https://go.microsoft.com/fwlink/?linkid=29911

Learning About the Internet Explorer Administration Kit

With the deployment technologies available in the Internet Explorer Administration Kit (IEAK), you can efficiently deploy Internet Explorer and control the configuration of Internet Explorer across your organization. (You can also control the configuration of Internet Explorer by using Group Policy. For more information, see "Learning about Group Policy objects that control configuration settings for Internet Explorer 6," earlier in this section.)

A few of the features and resources in the IEAK include:

• Internet Explorer Customization Wizard. Step-by-step screens guide you through the process of creating customized browser packages that can be installed on client desktops.

• IEAK Profile Manager. After you deploy Internet Explorer, you can use the IEAK Profile Manager to change browser settings and restrictions automatically.

• IEAK Toolkit. The IEAK Toolkit contains a variety of helpful tools, programs, and sample files.

• IEAK Help. IEAK Help includes many conceptual and procedural topics that you can view by using the Index, Contents, and Search tabs. You can also print topics from IEAK Help.

For more information about the IEAK, see the Windows Web site at:

https://go.microsoft.com/fwlink/?linkid=29479

Procedures for Controlling Internet Explorer in Windows XP with SP2

The following subsections provide procedures for carrying out two types of tasks:

• Removing visible entry points to Internet Explorer in Windows XP with SP2

• Setting the security level for specific Web sites

Procedures for Removing Visible Entry Points to Internet Explorer in Windows XP with SP2

This subsection provides information about removing all visible entry points to Internet Explorer in Windows XP with SP2, for situations where you do not want users to have access to Internet Explorer, or where you want users to use another Web browser exclusively. The procedures explain how to do the following:

• Remove visible entry points with Set Program Access and Defaults, through which the administrator of a computer running Windows XP with SP2 can specify which Web browser is shown on the Start menu, desktop, and other locations.

• Remove visible entry points through Add or Remove Programs in Control Panel.

• Remove visible entry points during unattended installation.

To Specify Which Web Browser Is Shown on the Start Menu, Desktop, and Other Locations on a Computer Running Windows XP with SP2

To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

1. Click Start and then click Set Program Access and Defaults.

2. Click the Custom button.

   Note   Alternatively, you can click the Non-Microsoft button, which will not only remove visible entry points to Internet Explorer, but also to Outlook Express, Windows Media® Player, and Windows Messenger. If you do this, skip the remaining steps of this procedure.

3. To disable access to Internet Explorer on this computer, to the right of Internet Explorer, clear the check box for Enable access to this program.

4. If you want a different default Web browser to be available to users of this computer, select the Web browser from the options available.

   Note   For the last step, if your program does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see the MSDN Web site at:
   https://go.microsoft.com/fwlink/?linkid=29306

For more information about Set Program Access and Defaults, see article 328326, “How to Use the Set Program Access and Defaults Feature in Windows XP Service Pack 1” in the Microsoft Knowledge Base at:

https://go.microsoft.com/fwlink/?linkid=29309

To Remove Visible Entry Points to Internet Explorer on an Individual Computer Running Windows XP with SP2

To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

2. Double-click Add or Remove Programs.

3. On the left, click Add/Remove Windows Components.

4. In the Windows Components Wizard, scroll down and make sure the check box for Internet Explorer is cleared.

5. Follow the instructions to complete the Windows Components Wizard.

To Remove Visible Entry Points to Internet Explorer During Unattended Installation by Using an Answer File

1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment."

2. In the [Components] section of the answer file, include the following entry:

   IEAccess = Off

   For complete details about how the IEAccess entry works, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

Procedures for Setting the Security Level to High for Specific Web Sites

The procedures that follow provide information about how to set the security level for a particular Web site to High, which prevents actions such as the running of scripts and the downloading of files from the site. For information about planning a configuration for your organization to control whether Internet Explorer allows downloads or allows plug-ins, ActiveX controls, or scripts to be run, see “Examples of the Security-Related Features Offered in Internet Explorer 6” and “Learning About Security and Privacy Settings in Internet Explorer 6,” earlier in this section.

To Configure a Specific Computer with a Security Level of High for Specific Sites

1. On the computer on which you want to configure a security level of High for specific sites, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

2. Select Restricted sites.

3. Under Security level for this zone, make sure the slider for the security level is set to High. If the security level for the zone is Custom, click Default Level and make sure the slider for the security level is set to High.

   You can view the individual settings that make up High security by clicking Custom Level. For example, you can click Custom Level and then scroll down to confirm that for High security, the settings for active scripting and for file download are both Disable. After viewing the settings, click Cancel.

4. With Restricted sites still selected, click Sites.

5. In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type:

   http://*.Example.com

6. Click the Add button.

To Use Group Policy to Set the Security Level to High for Specific Sites That Users in Your Organization Might Connect To

1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO.

2. In Group Policy, click User Configuration, click Windows Settings, click Internet Explorer Maintenance, and then click Security.

3. In the details pane, double-click Security Zones and Content Ratings.

4. Under Security Zones, click Import the current security zones and privacy settings, and then click Modify Settings.

5. Select Restricted sites.

6. Under Security level for this zone, make sure the slider for the security level is set to High. If the security level for the zone is Custom, click Default Level and make sure the slider for the security level is set to High.

   You can view the individual settings that make up High security by clicking Custom Level. For example, you can click Custom Level and then scroll down to confirm that for High security, the settings for active scripting and for file download are both Disable. After viewing the settings, click Cancel.

7. With Restricted sites still selected, click Sites.

8. In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type:

   http://*.Example.com

9. Click the Add button.