Enhanced Security Configuration in Internet Explorer

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To prevent security risks, the default configuration of Internet Explorer has changed in Windows Server 2003. This new default configuration, known as Internet Explorer Enhanced Security Configuration, restricts the ability of a Web site to download files and to run scripts and ActiveX® components. In addition, the Internet Explorer Enhanced Security Configuration disables Internet Explorer’s ability to detect whether a Web site is in the Local intranet zone, which restricts access to such things as: intranet Web sites, Web-based applications that run over the intranet, and files or folders on network shares. The Local intranet zone is one of the four Web content zones, along with Internet, Trusted sites, and Restricted sites.

Prior to the implementation of the Internet Explorer Enhanced Security Configuration, anything that was in the Local intranet zone was considered trustworthy. For example, if Internet Explorer determined that a Web site was in the Local intranet zone, and the Web site requested a user’s credentials, Internet Explorer would automatically pass the credentials to the Web site without prompting the user. Under the Internet Explorer Enhanced Security Configuration, intranet Web sites and universal naming convention (UNC) paths must be explicitly specified in the Local intranet zone or the Trusted sites zone to be considered trustworthy.

Because of the Enhanced Security Configuration settings, some applications might experience problems interacting with Web sites, network resources, and ActiveX components and scripts. These problems can occur when an application is being installed and when an application is running. For example, the Enhanced Security Configuration can prevent an application from being installed properly when the application attempts to download required files from a site that is restricted. Similarly, the Enhanced Security Configuration can prevent an application from running properly when it attempts to use an Internet Explorer feature that has been disabled. In addition, an application might not be able to use a UNC path to access a shared folder across the network.

To overcome these limitations, you can:

  • Add trusted sites and UNC paths to the Trusted sites zone or to the Local intranet zone.

  • Modify Internet Explorer security settings for a specific content zone or all content zones.

  • Disable Internet Explorer Enhanced Security Configuration settings.

If you know that an application requires access to an Internet site that is restricted, you also can request that the application vendor change the application setup program so that the required Web site is added to the Trusted sites zone during installation.

Caution

  • Do not disable the Enhanced Security Configuration settings unless you have no other alternative. Disabling the Enhanced Security Configuration increases the risk of security attacks.

For more information about Enhanced Security Configuration settings, see "Internet Explorer Enhanced Security Configuration" in Help and Support Center for Windows Server 2003.