Authenticode

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By Roger Grimes

On This Page

What Is Authenticode?
Digital Certificates Overview
Internet Explorer and Authenticode
Common Authenticode Questions
Summary

What Is Authenticode?

Today's Web sites provide not only a rich experience for users but also the possibility of unwittingly downloading malicious code. With increasingly active content on the Internet, end users often must decide whether or not to download code over the Internet. However, end users cannot really tell what a piece of software will do until they've downloaded it to their computers.

Unlike in the retail environment, software on the Internet isn’t labeled or shrink-wrapped. Therefore, end users don't know for sure who published a piece of software on the Internet. They also don't know whether the code has been tampered with. As a result, end users take on a certain amount of risk when downloading Java applets, plug-ins, Microsoft® ActiveX™ controls, and other executables over the Internet.

Internet Explorer (IE) uses Authenticode™ technology and its underlying code signing mechanisms to help address this problem for end users. While not guaranteeing bug-free code, Authenticode identifies the publisher of signed software and verifies that it hasn't been tampered with, before users download software to their PCs. As a result, end users can make a more informed decision as to whether or not to download code.

The security methods used to support this proposal rely on tested and proven technology. Authenticode relies on digital certificates and is based on specifications that have been used successfully in the industry for some time, including Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms.

This paper discusses Microsoft’s Authenticode technology, digital certificates, and IE’s handling of potentially dangerous content

Digital Certificates Overview

Although users of Authenticode don’t have to master digital authentication to benefit from the technology, it’s helpful to understand the basic concepts. Digital certificates are electronic credentials that verify an individual's or an organization's identity on the Web. The identity of the digital certificate owner is bound to a pair of electronic keys that can be used to encrypt and sign digital information, assuring that the keys actually belong to the person or organization specified.

Digital certificates contain at least the following information:

  • Owner's public key

  • Owner's name or alias

  • Expiration date of the digital certificate

  • Serial number of the digital certificate

  • Name of the certification authority that issued the digital certificate

  • Digital signature of the certification authority that issued the digital certificate

Digital certificates may also contain other user-supplied information, including:

  • Postal address

  • Email address

  • Basic registration information (country/region, postal code, age, and gender)

Certificate Authority

Digital certificates are authenticated, issued, and managed by a trusted third party called a Certificate Authority (CA). The CA must provide a combination of three essential elements: technology, such as security protocols and standards, secure messaging, and cryptography; infrastructure, including secure facilities, customer support, and redundant systems; and practices, including a defined model of trust and a legally binding framework for subscriber activities and disputes. In short, a CA must be a trusted online service operating 24 hours a day, 7 days a week, on a global basis. In addition to obtaining digital certificates from commercial CAs, users can also implement certificate servers such as Microsoft Certificate Server.

Commercial CAs issue digital certificates verifying the electronic identity of individuals and organizations on the Web. The CAs' primary responsibility is to confirm the identity of those seeking a digital certificate, thus ensuring the validity of the identification information contained in the digital certificate.

CAs perform the following types of services:

  • Provide, manage, and renew digital certificates

  • Authenticate the identities of individuals and organizations

  • Verify the registrations of individuals and organizations

  • Publish and maintain a Certificate Revocation List (CRL) of all digital certificates that the CA has revoked

  • Handle legal and liability issues for broken security

Many commercial CAs offer certificate services for Microsoft products, as well as a wide range of other certificate services. For a current list of CAs that support Microsoft products, visit https://www.microsoft.com/security/ .

Types of Digital Certificates

Commercial CAs issue various types of digital certificates, such as:

  • Personal certificates for individuals to digitally sign communications and ensure secure transactions over the Internet and intranet

  • Client and server certificates for managing secure transactions between clients and servers

  • Software publisher certificates for individuals who digitally sign their software

  • Software publisher certificates for commercial software publishers who digitally sign their software

CAs can also issue many other types of certificates. Each CA operates within the aegis of its Certification Practices Statement (CPS). It's a good idea to visit the CA's Web site and read the CPS to understand the certificates issued and the CA's operating procedures.

Digital Certificate Uses

Digital certificates form the basis for secure communication and client and server authentication on the Web. Digital certificates can be used to:

  • Encrypt secure communication channels between client machines and the servers on the Web

  • Verify the identity (user authentication) of clients and servers for secure communication channels between clients and servers on the Web

  • Encrypt messages for secure Internet email communications

  • Verify the authorship of Internet email messages

  • Sign executable code to be downloaded on the Web

  • Verify the source and integrity of signed executable code downloaded from the Web

Digital Certificate Considerations for the Systems Administrator

You can install certificates and configure certificate settings for IE to control secure email communications, the downloading of active content, and user authentication for clients and servers. Systems administrators can use the Internet Explorer Administration Kit (IEAK)Configuration Wizard to specify certificate configurations for the custom packages of IE they deploy in user groups. The IEAK Profile Manager can be used to manage certificate configurations for user groups through IE’s automatic browser configuration feature.

Instead of obtaining all digital certificates from commercial CAs, you can implement a certificate server such as Microsoft Certificate Server to manage the issuance, renewal, and revocation of industry-standard digital certificates for your users. They can use these digital certificates in conjunction with servers that support Secure Sockets Layer (SSL) or Private Communications Technology (PCT) to build a secure Web infrastructure for the Internet or intranet. For large organizations with complex Web needs, certificate servers offer many advantages over commercial CAs, including total control over certificate management policies and lower costs. Signed code is treated differently than unsigned code in IE.

Internet Explorer and Authenticode

When IE downloads potentially dangerous content, it checks to see whether the code is digitally signed by a trusted certificate. Depending on your browser Security setting (High, Medium, Medium-Low, Low, or Custom) for the zone the content is originating from and the success or failure of the Authenticode verification process, the browser determines whether or not to automatically run the content. In IE, Security settings are found under Tools, Internet Options. With Security set to High, no potentially dangerous content will be run, signed or unsigned. IE’s default level of security for the Internet zone is Medium. Moderate levels of security either prompt the user to allow or deny the content’s activation, or automatically deny unsafe and unsigned content. When prompted to allow or deny signed content, the user is allowed to inspect the signer’s digital certificate. You can configure Security levels for each security zone.

Security Zones Overview

Zone security is a system that allows the user or systems administrator to divide into groups the Web content a browser can visit. This Web content can be anything from an HTML file, a graphic, an ActiveX control, a Java applet, or an executable file. Each group, or zone, then has a security level assigned to it. In this way, security zones control users' access to Web sites, depending on the zone in which the site is located and the level of trust assigned to each zone. IE provides the following predefined security zones (see Figure 1):

  • Internet zone. All sites on the Internet that aren’t in the Trusted Sites or Restricted Sites zones are included in this zone. The default security level is Medium.

  • Local Intranet zone. This zone includes all sites inside an organization's firewall (for computers connected to a local network). The Local Intranet zone is also home to Web applications that need access to the user's hard disk. The default security level is Medium-Low.

  • Trusted Sites zone. This is the zone where you specify Internet sites you know you can trust. These sites might include corporate subsidiaries or perhaps the Web site of a trusted business partner. The default security level is Low.

  • Restricted Sites zone. This is the zone where you specify sites that you know you cannot trust. The default security level is High.

    Figure 1: Security zones

    Figure 1: Security zones

A fifth zone, Local Machine, exists but isn’t included in the user interface and isn’t configurable through the security options. Local Machine can only be configured in the registry. Local Machine includes most content on the local disk, excluding cached classes in the Temporary Internet Files folder and classes that are signed with restricted privileges. This area forms a completely trusted zone, to which few or no security restrictions apply. Systems administrators can also exclude network and other drives by explicitly mapping them into other zones, if necessary.

Using security zones, it's easy to provide the appropriate level of security for the various types of Web content that users are likely to encounter. You can accept the default setting for each zone; change the setting to another of the preset High, Medium, and Low choices; or use the Custom setting for more precise control.

For example, it's likely that you fully trust sites on your company's intranet, so you probably want to allow all types of active content to run there. Simply set the Local Intranet zone to a low level of security. You probably don't feel as confident about sites on the Internet, so you can assign the entire Internet zone a higher level of security to prevent active content from being run and code from being downloaded to your computer. However, if there are specific sites you trust, you can place individual URLs or entire domains in the Trusted Sites zone. Other sites on the Internet are known to be sources of potentially harmful Web content, so you can choose to place the highest restrictions on those sites.

Zone Operations

When an HTML page is opened, a DLL called Urlmon.dll is used to determine the zone from which it was loaded. To do this, two things happen. First, Urlmon.dll checks to see whether a proxy server was used to get the HTML page; if so, Urlmon.dll automatically knows that the page is from the Internet. Next, it checks the registry to see whether the page is from a designated Trusted or Untrusted location, and the security zone is set appropriately. If no proxy server is involved, the URL is then parsed to determine where the page comes from.

You can find all of the zone security settings in two registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\InternetSettings\ZoneMap

    and

  • HKEY_CURRENT_USER \Software\Microsoft\Windows \CurrentVersion\InternetSettings\Zones

The ZoneMap keys contain the list of trusted and untrusted (restricted) Web sites, domains, and protocols. The Zones key contains the actual zones and the security settings that apply to each zone.

Setting Up Security Zones

Users can specify the sites included in the Local Intranet, Restricted Sites, and Trusted Sites security zones. The Internet zone comprises all Web sites not included in any of the other zones.

Note: Web content can be addressed either by Domain Name System (DNS) name or by IP address. For sites that use both, it’s important to configure both references to the same zone. In common cases, the Local Intranet sites are identifiable by either local names or by IP addresses in the proxy bypass list. All other names and IP addresses would be mapped to the Internet zone. However, if a site name is entered into the Trusted Sites or Restricted Sites zone site list, but its IP address range isn't, then the site may be treated as part of the Internet zone if the IP address accesses it.

Local Intranet Zone

To be secure, it’s imperative that you set up the Local Intranet zone in conjunction with the proxy server and firewall configurations. All sites in the zone should be inside the firewall, and proxy servers should be configured so that they don’t allow an external DNS name to be resolved to this zone. Configuring the client zone security requires a detailed knowledge of the existing network configuration, proxy servers, and secure firewalls.

By default, the Local Intranet zone consists of local domain names and the addresses of any proxy exceptions. You should confirm that these settings are indeed secure for the installation, or adjust the settings to be secure. When setting up the zone, you can specify which categories of URLs should be considered. See the Local intranet settings in Table 1. You can also add specific sites to the zone.

Table 1 Local intranet settings

Option

Description

Include all local (intranet) sites not listed in other zones

Includes all sites not included in other zones. Intranet sites have names that don’t include periods inside the URL (for example, http://local/). A site name such as https://www.microsoft.com/ isn’t local, because it contains periods. This site would be assigned to the Internet zone. The intranet site name rule applies to file: as well as http: URLs.

Include all sites that bypass the proxy server

Includes all sites that bypass the proxy server. Typical intranet configurations use a proxy server to access the Internet with a direct connection to intranet servers. This setting uses this kind of configuration information to distinguish intranet from Internet content for purposes of zones. If the proxy server is otherwise configured, you should deselect this option and select other options to designate intranet zone membership. In systems without a proxy server, this setting has no effect.

Include all network paths (UNCs)

Includes all network Universal Naming Convention (UNC) paths. Network paths (for example, \\local\file.txt) are typically used for local network content that should be included in the Local Intranet zone. If some network paths shouldn’t be in the Local Intranet zone, you should deselect this option and select other options to designate membership. For example, in certain Common Internet File System (CIFS) configurations, a network path can reference Internet content.

Note: If some parts of your intranet are less secure or otherwise not trustworthy, you can exclude them from this zone by assigning them to the Restricted Sites zone.

Once you’ve checked that the Local Intranet zone is secure, you may want to change the zone's security level to Low to allow a wider range of operations and make the Web pages more functional. You can also adjust individual security settings in the Custom Settings.

Restricted and Trusted Sites Zones

The Restricted Sites and Trusted Sites zones are where you can assign specific Web sites that you trust more or less than those in the Internet zone or the Local Intranet zone.

The Trusted Sites zone is assigned a Low security level setting by default. It’s intended for highly trusted sites, such as companies with which you frequently do business, and is sometimes known as an extranet. If you assign a site to the Trusted Sites zone, the site will be allowed to perform more powerful operations. Also, IE will require the user to make fewer security decisions. Add a site to this zone only if you trust all of its content never to do anything harmful to the user's computer. For the Trusted Sites zone, it’s strongly recommended that you use the HTTP over SSL (HTTPS) protocol or otherwise ensure that connections to the site are secure.

The Restricted Sites zone is assigned a High security level setting by default. This zone is designed for the rare case of a site you don't trust. If you assign a site to the Restricted Sites zone, the site will be allowed to perform only minimal, very safe operations. Due to the performance restrictions necessary for this extremely high level of security, some Web pages in this zone may not function properly.

IE’s Security Levels

As Table 2 shows, IE has five security levels that can be applied against the different zones.

Table 2 IE security levels

Security Level

Description

High (most secure)

Excludes content that could damage users' computers.

Medium (more secure)

Default setting for the Internet zone. Warns users and queries whether they want to run potentially damaging content.

Medium-Low

Default setting for the Local Intranet zone.

Low

Runs potentially damaging content without notifying users.

Custom Level (for expert users)

Specifies custom settings for zones.

The default Low, Medium-Low, Medium, and High security levels are detailed in Table 3. You can accept the defaults or configure custom zone settings to meet your needs.

Table 3 Security options details

Security Option

Low Level

Medium-Low Level

Medium Level

High Level

Download signed ActiveX controls

Enable

Prompt

Prompt

Disable

Download unsigned ActiveX controls

Prompt

Disable

Disable

Disable

Initialize and script ActiveX controls not marked as safe

Prompt

Disable

Disable

Disable

Run ActiveX controls and plug-ins

Enable

Enable

Enable

Disable

Script ActiveX controls marked safe for scripting

Enable

Enable

Enable

Disable

File download

Enable

Enable

Enable

Disable

Font download

Enable

Enable

Enable

Prompt

Java permissions

Low Safety

Medium Safety

High Safety

Disable Java

Access data sources across domains

Enable

Prompt

Disable

Disable

Allow META REFRESH

Enable

Enable

Enable

Disable

Display mixed content

Prompt

Prompt

Prompt

Prompt

Don’t prompt for client certificate selection when no certificates or only one certificate exists

Enable

Enable

Disable

Disable

Drag and drop or copy and paste files

Enable

Enable

Enable

Prompt

Installation of desktop items

Enable

Prompt

Prompt

Disable

Launching programs and files in an IFRAME

Enable

Prompt

Prompt

Disable

Navigate sub-frames across different domains

Enable

Enable

Enable

Disable

Software channel permissions

Low safety

Medium safety

Medium safety

High safety

Submit nonencrypted form data

Enable

Enable

Prompt

Prompt

Userdata persistence

Enable

Enable

Enable

Disable

Active scripting

Enable

Enable

Enable

Disable

Allow paste operations via script

Enable

Enable

Enable

Disable

Scripting of Java applets

Enable

Enable

Enable

Disable

User Authentication—Logon

Automatic logon with current username and password

Automatic logon only in Intranet zone

Automatic logon only in Intranet zone

Prompt for user name and password

Note: Security options, default settings, and locations vary slightly according to IE version.

Administrators can also use the IEAK Configuration Wizard and the IEAK Profile Manager to configure and manage security zones for custom packages to be deployed in user groups.

Changing Security Levels

If you choose not to accept the default security levels for the preset zones in IE, you can easily assign a different level of security — High, Medium, Medium-Low, or Low—to any zone.

Note: If you want to customize the security level for a zone, select Custom Level (for expert users), and choose settings that suit your needs. For more information, see the next section, “Customizing Security Zones.”

Customizing Security Zones

The Custom Level option on the Security tab gives advanced users and systems administrators additional control over security settings. Again, the options for customizing security zones are the same whether you access them from IE, the IEAK Configuration Wizard, or the IEAK Profile Manager (with the exception of some Java controls).

Configuring Custom Settings

The custom security options for IE are grouped into the following categories:

  • ActiveX Controls and Plug-ins

  • Downloads

  • Java

  • Miscellaneous

  • Scripting

  • User Authentication

The following sections describe the security options for each security category.

ActiveX Controls and Plug-ins

These options dictate how ActiveX controls and plug-ins are downloaded, run, and scripted.

Note: If an ActiveX control is downloaded from a site different from the page on which it’s used, the more restrictive of the two sites' zone settings will be applied. For example, if a user is accessing a Web page within a zone that’s set to enable a download, but the code is downloaded from another zone that’s set to prompt a user first, the prompt setting is used.

Download signed ActiveX controls

This option determines whether users may download signed ActiveX controls from a page in the zone. The settings for this option are:

  • Enable, to download signed controls without user intervention.

  • Prompt, to query the user whether to download controls signed by publishers who aren't trusted, but still silently download code signed by trusted publishers.

  • Disable, to prevent signed controls from downloading.

Download unsigned ActiveX controls

This option determines whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. The settings for this option are:

  • Enable, to run unsigned controls without user intervention.

  • Prompt, to query users to choose whether to allow the unsigned control to run.

  • Disable, to prevent unsigned controls from running.

Initialize and script ActiveX controls not marked as safe

This option determines whether ActiveX control object safety is enforced for pages in the zone. Object safety should be enforced unless all ActiveX controls and scripts that might interact with pages in the zone can be trusted. The settings for this option are:

  • Enable, to override object safety. ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn’t recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • Prompt, to attempt to enforce object safety. However, if the ActiveX control cannot be made safe for untrusted data or scripts, then the user is queried whether to allow the control to be loaded with parameters or scripted.

  • Disable, to enforce object safety for untrusted data or scripts. ActiveX controls that cannot be made safe aren’t loaded with parameters or scripted.

Run ActiveX controls and plug-ins

This option determines whether ActiveX controls and plug-ins can be run on pages from the specified zone. The settings for this option are:

  • Enable, to run controls and plug-ins without user intervention.

  • Prompt, to query users to choose whether to allow the controls and plug-ins to run.

  • Disable, to prevent controls and plug-ins from running.

Script ActiveX controls marked safe for scripting

This option determines whether an ActiveX control marked safe for scripting can interact with a script. The settings for this option are:

  • Enable, to allow script interaction without user intervention.

  • Prompt, to query users to choose whether to allow script interaction.

  • Disable, to prevent script interaction.

Note that safe-for-initialization controls loaded with PARAM tags are unaffected by this option. This option is ignored when Initialize and script ActiveX controls that are not marked safe is set to Enable, because the setting bypasses all object safety. You cannot script unsafe controls while blocking the scripting of the safe ones.

Downloads

These options specify how IE handles downloads.

File download

This option controls whether file downloads are permitted from the zone. Note that the zone of the page with the link causing the download determines this option, not the zone from which the file is delivered. The settings for this option are:

  • Enable, to allow files to be downloaded from the zone.

  • Disable, to prevent files from being downloaded from the zone.

Font download

This option determines whether pages of the zone may download HTML fonts. The settings for this option are:

  • Enable, to download HTML fonts without user intervention.

  • Prompt, to query users to choose whether to allow HTML fonts to download.

  • Disable, to prevent HTML fonts from downloading.

Java

These options control the permissions that are granted to Java applets when they’re downloaded and run in this zone. You can specify:

  • The maximum permission level granted to signed applets downloaded from the zone.

  • The permissions granted to unsigned applets downloaded from the zone.

  • The permissions granted to scripts on pages in the zone that call into applets.

Note: If a Java applet is downloaded from a different site than the page on which it’s used, the more restrictive of the two sites' zone settings will be applied. For example, if a user is accessing a Web page within a zone that’s set to allow a download, but the code is downloaded from another zone that’s set to prompt a user first, then the prompt setting is used.

Java permissions

The settings for this option are:

  • Custom, to control permissions settings individually. To view and change custom Java permissions for each security zone, use the IE Custom Java Security dialog box. You can also use the IEAK Configuration Wizard and IEAK Profile Manager to edit the advanced Java permissions for each security zone.

  • Low safety, to enable applets to perform all operations.

  • Medium safety, to enable applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities such as scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High safety, to enable applets to run in their sandbox.

  • Disable Java, to prevent any applets from running.

Miscellaneous

These options control whether users can submit nonencrypted form data, launch applications and files from IFRAMEs, install Active Desktop items, drag files, or copy and paste files a zone.

Access data sources across domains

This option controls whether a web page can call data sources from other domains, which is not uncommon. The settings for this option are:

  • Enable, to allow data sources from other domains automatically.

  • Prompt, to query users on whether to allow data sources to be used from other domains.

  • Disable, to prevent data sources from other domains from being used.

Allow META REFRESH

This option controls whether a web page can redirect your browser to another page after a predefined period of time. The settings for this option are:

  • Enable, to allow Meta refreshes.

  • Disable, to prevent Meta refreshes.

Display mixed content

This option controls whether or not IE will display a web page containing content from both secure (https) and nonsecure (http) content. The settings for this option are:

  • Enable, allow web page with mixed content to display.

  • Prompt, query user on whether to allow web paged with mixed content to display.

  • Disable, will not allow web pages with both secure and nonsecure content to display.

Don’t prompt for client certificate selection when no certificates exist or only one certificate exists

This option controls whether or not a web site requesting client certificate authentication will prompt the user to select a client certificate to authenticate their identity when no or only one certificate exists. The settings for this option are:

  • Enable, if none or only one certificate exists web site requesting client certificate authentication will not prompt user to select a client authentication certificate.

  • Disable, web site requesting client certificate authentication will prompt user to select certification even if none or only one certificate exists.

Drag and drop or copy and paste files

This option controls whether users can drag files or copy and paste files from a source within the zone. The settings for this option are:

  • Enable, to drag files or copy and paste files from this zone without user intervention.

  • Prompt, to query users to choose whether to drag or copy files from this zone.

  • Disable, to prevent dragging files or copying and pasting files from this zone.

Installation of desktop items

This option controls whether users can install Active Desktop items from this zone. The settings for this option are:

  • Enable, to install desktop items from this zone without user intervention.

  • Prompt, to query users to choose whether to install desktop items from this zone.

  • Disable, to prevent desktop items from this zone from being installed.

Launching programs and files in an IFRAME

This option controls whether applications may be run and files may be downloaded from a floating frame (IFRAME) reference in the HTML of the pages in this zone. The settings for this option are:

  • Enable, to run applications and download files from IFRAMEs on the pages in this zone without user intervention.

  • Prompt, to query users to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

  • Disable, to prevent applications from running and files from downloading from IFRAMEs on the pages in this zone.

Navigate sub-frames across different domains

This option controls whether a web page displayed in a sub-frame can launch from a domain different than the calling web page. The settings for this option are:

  • Enable, allow web pages to call sub-frame pages originating from different domains.

  • Prompt, query user to choose whether to allow sub-frames from other domains.

  • Disable, never allow a web page to call a sub-frame from a different domain.

Software channel permissions

This option controls the permissions given to software distribution channels. The settings for this option are:

  • Low safety, to allow users to be notified of software updates by email, software packages to be automatically downloaded to users' computers, and software packages to be automatically installed on users' computers.

  • Medium safety, to allow users to be notified of software updates by email and software packages to be automatically downloaded to (but not installed on) users' computers.

  • High safety, to prevent users from being notified of software updates by email, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.

Submit nonencrypted form data

This option determines whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL encryption are always allowed; this setting only affects non-SSL form data submission. The settings for this option are:

  • Enable, to allow information using HTML forms on pages in this zone to be submitted without user intervention.

  • Prompt, to query users to choose whether to allow information using HTML forms on pages in this zone to be submitted.

  • Disable, to prevent information using HTML forms on pages in this zone from being submitted.

Userdata persistence

This option controls whether or not a web page can store collected user data after the user leaves the web page. The settings for this option are:

  • Enable, allow web page to store persistent data.

  • Disable, deny a web page the ability to store persistent user data.

Scripting

These options specify how IE handles scripts.

Active scripting

This option determines whether script code on pages in the zone is run. The settings for this option are:

  • Enable, to run scripts without user intervention.

  • Prompt, to query users to choose whether to allow the scripts to run.

  • Disable, to prevent scripts from running.

Allow paste operations via script

This option controls whether or not a web page script can copy and paste data to the Windows Clipboard application. Several security vulnerabilities are possible if this setting is enabled. The settings for this option are:

  • Enable, allow a web site script to copy and paste data using the Windows clipboard application.

  • Prompt, query users to choose whether or not to allow a web site to utilize the Windows Clipboard to copy and paste data.

  • Disable, prevent web sites from using the Windows Clipboard.

Scripting of Java applets

This option determines whether applets are exposed to scripts within the zone. The settings for this option are:

  • Enable, to allow scripts to access applets without user intervention.

  • Prompt, to query users to choose whether to allow scripts to access applets.

  • Disable, to prevent scripts from accessing applets.

User Authentication

This option controls how HTTP user authentication is handled.

Logon

The settings for this option are:

  • Anonymous logon, to disable HTTP authentication and use the guest account only for CIFS.

  • Prompt for user name and password, to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.

  • Automatic logon only in Intranet zone, to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.

  • Automatic logon with current user name and password, to attempt logon using Windows NT® Challenge/Response (also known as NT LAN Manager—NTLM) authentication. If the server supports Windows NT Challenge/Response authentication, the logon uses the user's network username and password for logon. If the server doesn’t support Windows NT Challenge/Response authentication, the user is queried to provide the username and password.

IE’s security zones and settings allow a tremendous amount of flexibility when deciding which types of downloadable content to trust. The last section, “Common Authenticode Questions,” gives answers to commonly asked questions about Authenticode.

Common Authenticode Questions

If IE tells me that a piece of software hasn’t been signed, should I download it anyway?

This is a decision that should be based on the end user’s own judgment. For instance, if the end user has downloaded software from a particular site before and believes that this software can be trusted not to have been tampered with or to behave maliciously, then the end user may decide to download code that hasn’t been signed (i.e., that doesn’t have a valid certificate associated with it). And if the end user knows nothing about the software or the site from which it originated, the end user may choose not to download this piece of software.

Should I trust and download a piece of software just because it’s been signed?

Again, this decision relies on the end user’s own judgment; however, the certificate provides end users with the data they need to make a more informed decision about this piece of software. If the end user has a great deal of trust in a particular software publisher, then the end user may decide to automatically download any software from this publisher through the settings provided in the Authenticode Security Technology dialog box.

Does a personal certificate or a site certificate have anything to do with a software publisher certificate?

Personal, site, and publisher certificates are all used to prove identity over the Internet; however, these certificates are used within different contexts. Your personal certificate identifies you to Web sites and allows you to access private or paid-for content over the Internet. A site certificate assures you of a Web site's identity and is used for secure communications between you and the Web site. A software publisher certificate, as mentioned previously, identifies the publisher of a piece of software and ensures that the software hasn't been tampered with after it has left the software publisher.

How can I tell the difference between an individual publisher and a commercial publisher when IE presents me with a software publisher’s certificate?

Before downloading a signed piece of software, IE identifies the issuer of the software publisher certificate as a CA for either individual or commercial publishers. IE further differentiates individual and commercial software publishers through the graphical presentation of the certificate to the end user in the Authenticode Security Technology dialog box.

How can Authenticode be used within a corporate scenario?

Using IEAK, an administrator can preconfigure IE safety settings, thereby setting the default manner in which IE treats potentially unsafe code—for example, code that doesn’t have a valid software publisher certificate associated with it. In addition, through IEAK, the administrator can control which Options settings the user can change. Hence, the administrator can prevent unsigned software from being downloaded to end users’ PCs.

Summary

Microsoft’s Authenticode technology ensures that software hasn’t been tampered with since the time it was digitally signed by its publisher. CAs are third parties that ensure that software authors are who they say they are. Authenticode-protected software establishes a reliable link to the publisher, which has contractually agreed that its software isn’t intentionally malicious. Without having to inspect the programming source code line by line, users are given a higher degree of trust not given by unsigned code. Users can assign different degrees of security trust to IE’s zones to accommodate acceptable levels of risk for their computing environment.