Internet Explorer 8 and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2
Applies To: Windows 7, Windows Server 2008 R2
In this section
Benefits and purposes of Internet Explorer 8
Internet Explorer enhanced security configuration
Examples of the security-related features in Internet Explorer 8
Resources for learning about topics related to security in Internet Explorer 8
Procedures for controlling Internet Explorer in Windows 7 and Windows Server 2008 R2
This section provides information about:
The benefits of Internet Explorer® 8 in Windows® 7 and Windows Server® 2008 R2.
A description of Internet Explorer Enhanced Security Configuration, which is enabled by default when you install Windows Server 2008 R2.
Examples of the security-related features in Internet Explorer 8.
Note
SmartScreen® Filter, one of the security-related features in Internet Explorer 8, is described in SmartScreen Filter and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 later in this document.
Resources for learning about topics related to security in Internet Explorer 8. This includes resources to help you learn about:
Security and privacy settings in Internet Explorer 8.
Mitigating the risks inherent in Web-based applications and scripts.
Methods for controlling the configuration of Internet Explorer 8 in your organization by using Group Policy settings, the Internet Explorer Administration Kit (IEAK), or both.
Information about performing specific actions related to Internet Explorer 8 in Windows 7 and Windows Server 2008 R2. These actions include:
Choosing a Web browser during unattended installation or by using the Default Programs interface.
Turning Internet Explorer Enhanced Security Configuration off and on.
Setting the security level to High for specific Web sites.
Note
This section of this document describes Internet Explorer 8, but it does not describe related features such as Content Advisor or the wizard for making a connection to the Internet. It also does not describe SmartScreen Filter in Internet Explorer or error reporting for Internet Explorer. For information about these features, see the following sections of this document:
Appendix J: Wizards in Windows 7 and Windows Server 2008 R2 Related to Connecting to the Internet
SmartScreen Filter and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2
It is beyond the scope of this document to describe all the aspects of maintaining appropriate levels of security in an organization where users perform such actions as connecting to Web sites, running software from the Internet, or downloading items from the Internet. This section, however, provides overview information and suggestions for sources of information about how to balance user requirements for Internet access with your organization's requirements for protection of networked assets.
For more information about Internet Explorer, see the following resources:
Help for Internet Explorer (with Internet Explorer open, press F1)
Benefits and purposes of Internet Explorer 8
Internet Explorer 8 is designed to make it easy to browse and interact with sites on an intranet or on the Internet. It differs from many of the other features that are described in this document in that its main function is to communicate with sites on the Internet or an intranet (which contrasts with features that communicate with the Internet in the process of supporting another activity).
Internet Explorer 8 is also designed to be highly configurable, with security and privacy settings that can help protect your organization's networked assets while at the same time providing access to useful information and tools. In addition, Internet Explorer Enhanced Security Configuration, which is enabled by default when you install Windows Server 2008 R2, helps to make your server more secure by limiting its exposure to malicious Web sites.
Note
With this enhanced level of security, however, you might find that some Web sites are not displayed correctly in Internet Explorer when you are browsing from a server. Also, you might be prompted to enter your credentials when accessing network resources, such as files in shared folders with Universal Naming Convention (UNC) names. As an administrator, you can turn Internet Explorer Enhanced Security Configuration off and on.
Internet Explorer enhanced security configuration
Internet Explorer Enhanced Security Configuration is turned on by default when you install Windows Server 2008 R2. This configuration assigns specific levels of security settings to four zones that are defined in Internet Explorer 8: the Internet zone, the Local intranet zone, the Trusted sites zone, and the Restricted sites zone. For example, it assigns High security settings to both the Internet zone and the Restricted sites zone.
The configuration also contains a variety of other settings. These include specific settings such as whether the Temporary Internet Files folder is emptied when the browser is closed, and settings that determine which zone certain standard Web sites are added to (for example, the Windows Update Web site is added to the Trusted sites zone).
For more information about Internet Explorer Enhanced Security Configuration, on a server that is running Windows Server 2008 R2, click Start, click Internet Explorer and then click a link that is displayed:
If Internet Explorer Enhanced Security Configuration is turned on, click Effects of Internet Explorer Enhanced Security Configuration.
If Internet Explorer Enhanced Security Configuration is turned off, click Internet Explorer Enhanced Security Configuration.
Examples of the security-related features in Internet Explorer 8
This subsection describes some of the security-related features in Internet Explorer 8, which include:
SmartScreen Filter. Internet Explorer 8 provides protection against social engineering attacks by helping to identify malicious Web sites that attempt to obtain personal information or install malicious software. The SmartScreen Filter does this by blocking the download of malicious software and providing enhanced anti-malware support. Administrators can use Group Policy to configure the behavior of the SmartScreen Filter, for example, to prevent users from overriding the option to fully block access to known unsafe sites. The Microsoft® SmartScreen Filter is described in SmartScreen Filter and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 later in this document.
Restrictions on the installation of ActiveX controls. Internet Explorer 8 allows for greater management of ActiveX® controls, such as where and how they can load and which users can load them. Internet Explorer 8 also allows the administrator to help set up the ActiveX control installation process for future ActiveX controls. The installation of ActiveX controls can be set on a per-site and per-user basis.
Enhanced Delete Browsing History. Delete Browsing History enables users and organizations to delete browsing history for all Web sites except those in the user's Favorites folder. Administrators can configure Delete Browsing History options through Group Policy or the Internet Explorer Administration Kit. Administrators can also configure which sites are automatically included in Favorites, allowing them to create policies that help ensure security by aggressively clearing Internet files, and without affecting day-to-day interactions with preferred and favorite Web sites. The Delete Browser History on Exit check box (on the General tab of the Internet Options dialog box) allows users and administrators to automatically delete the browsing history on exit.
InPrivate Browsing. The InPrivate™ browsing feature in Internet Explorer 8 deletes the user’s browsing history data that is accumulated on the computer, as soon as the Internet Explorer browsing windows for that session are closed. A network administrator can use Group Policy to control how InPrivate Browsing is used in their enterprise.
InPrivate Filtering. InPrivate Filtering helps prevent parties that serve or gather content (such as analytics, ad networks, or maps) on a Web page from tracking the user's activities. InPrivate Filtering monitors the frequency with which all outside-party content appears across all Web sites that are visited by the user. It does not discriminate between different types of outside party content, but rather it blocks content from a specific outside party only if it appears on more than a predetermined number of sites that the user has visited. This number can be configured by the user. In addition, a network administrator can choose to completely disable InPrivate Filtering in their enterprise through Group Policy.
Protected Mode. Internet Explorer Protected Mode helps reduce the severity of threats to both Internet Explorer and Internet Explorer add-ons by requiring user interaction for actions that would affect the operating system. Even if the user gives permission, Internet Explorer can affect only areas that are directly controlled by the user, meaning a more secure locked-down environment. This feature uses other operating system features, called the integrity mechanism and User Interface Privilege Isolation (UIPI). Protected Mode also includes compatibility features that allow most extensions to continue running with no changes and provide affected extensions with clear alternative options.
For more information, see:
Secure Sockets Layer (SSL). Internet Explorer 8 makes it easier to see whether Web transactions are secured by SSL or Transport Layer Security (TLS). A security report icon appears to the right of the address bar when you view a page that uses a Hypertext Transfer Protocol Secure (HTTPS) connection. Clicking this icon displays a report describing the certificate used to encrypt the connection and the certification authority (CA) that issued the certificate. The security report also provides links to more detailed information. Internet Explorer 8 also supports High Assurance certificates, giving further guidance to users that they are communicating with a verified organization. This verification will be granted by existing CAs and show up in the browser as a clear green fill in the address bar.
Microsoft ActiveX Opt-In. Internet Explorer 8 disables all ActiveX controls that were not used in Internet Explorer 6 and all ActiveX controls that are not flagged for use on the Internet. When users encounter an ActiveX control for the first time, they see a gold bar asking if they want to use the control. Users can then selectively allow or prevent running the control. By default, the ActiveX opt-in does not apply to Intranet and Trusted Site zones; controls on those zones, including a short list of preapproved controls, run without prompting.
The following list names some of the security-related features that have been continued from Internet Explorer 6.
A Privacy tab. This tab provides flexibility in blocking and allowing cookies, based on the Web site that the cookie came from or the type of cookie. Types of cookies include first-party cookies, third-party cookies, and cookies that do not have a compact privacy policy.
Security settings that define security zones. For each zone, users can control the way that Internet Explorer 8 handles higher-risk items such as ActiveX controls, downloads, and scripts.
Support for content-restricted inline floating frames (IFrames). This type of support enables developers to implement IFrames in a way that makes it more difficult for malicious authors to start e-mail-based or content-based attacks.
A configurable pop-up blocker. This helps you control pop-ups.
An improved interface for managing add-ons. Add-ons are programs that extend the capabilities of the browser.
Documentation for Internet Explorer 6, Internet Explorer 7, or Internet Explorer 8 describes these features in more detail. For more information about features that are available in Internet Explorer, see the information in the next subsection and at the following Web site:
Internet Explorer 8: Home page
Resources for learning about topics related to security in Internet Explorer 8
This subsection lists resources that can help you learn about the following topics related to security in Internet Explorer 8:
Security and privacy settings available in Internet Explorer 8
Methods for mitigating the risks that are inherent in Web-based programs and scripts
Ways to use Group Policy objects to control configuration settings for Internet Explorer 8
The Internet Explorer Administration Kit
In addition, for information about unattended installation, see the resources listed in Appendix A: Resources for Learning About Automated Installation and Deployment for Windows 7 and Windows Server 2008 R2 later in this document.
Learning about security and privacy settings in Internet Explorer 8
Following are sources of detailed information about the security and privacy settings in Internet Explorer 8 in Windows 7 and Windows Server 2008 R2:
Windows Internet Explorer 8 Technology Overview for Enterprise and IT Pros (This overview provides information about Phishing Filter, Protected Mode, and other enhancements to security features.)
Understanding and Working in Protected Mode Internet Explorer
In addition, the privacy statement for Internet Explorer 8 includes information about some of the features in Internet Explorer 8: Windows Internet Explorer 8 Privacy Statement.
Learning about mitigating the risks inherent in Web-based applications and scripts
In a network-based and Internet-based environment, code can take a variety of forms including scripts within documents, scripts within e-mail messages, or applications or other code objects that are running within Web pages. This code can move across the Internet, and it is sometimes referred to as "mobile code." Configuration settings provide ways for you to control how Internet Explorer 8 responds when a user tries to run mobile code.
Following are two examples of how you can customize the Internet Explorer configuration that is deployed in your organization:
You can control the code (in ActiveX controls or in scripts, for instance) that users can run. Do this by customizing Authenticode® settings. For example, this can prevent users from running any unsigned code or enable them to only run code that is signed by specific authors. For more information, see Code-Signing Best Practices.
If you want to permit the use of ActiveX controls, but you do not want users to download code directly from the Internet, you can specify that when Internet Explorer 8 looks for a requested executable, it looks on your internal Web site instead of the Internet. You can do this by changing a registry key.
Warning
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
The registry key to change specifies an Internet search path for Internet-based code:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft \\Windows\\CurrentVersion\\Internet Settings\\CodeBaseSearchPath**
This registry key usually contains the keyword **CODEBASE**, which allows software to specify its own Internet search path for downloading components (that is, when **CODEBASE** is present, calls to **CoGetClassObjectFromURL** check the *szCodeURL* location for downloading components). After **CODEBASE**, the **CodeBaseSearchPath** registry key usually lists additional URLs in the Internet search path, with each URL enclosed in angle brackets and separated by a semicolon. If you remove **CODEBASE** from the registry key and instead specify a site on your intranet, software will check that site, not an Internet site, for downloadable components. The URL specified in **CodeBaseSearchPath** will receive an HTTP POST request with data in the following format and respond with the object to install and load.
CLSID={class id}
Version=a,b,c,d
MIMETYPE=mimetype
For more information, search for all instances of **CodeBaseSearchPath** in the following MSDN® topic: [Implementing Internet Component Download](https://go.microsoft.com/fwlink/?linkid=75005).
For more information about how a particular Microsoft programming or scripting language works, see the Microsoft Developer Network.
Learning about Group Policy objects that control configuration settings for Internet Explorer 8
You can control configuration settings for Internet Explorer 8 by using Group Policy objects (GPOs). (You can also control the configuration of Internet Explorer by using the Internet Explorer Administration Kit. For more information, see "Learning about the Internet Explorer Administration Kit" later in this section.) More than 100 Group Policy settings were added for Internet Explorer 8, bringing the total to more than 1,300. For sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2 later in this document.
To learn about specific Group Policy settings that can be applied to computers running Windows 7 and Windows Server 2008 R2, see the following sources of information:
Learning about the Internet Explorer Administration Kit
You can use the Internet Explorer Administration Kit (IEAK) to create a customized Internet Explorer package for use in your organization. You can then deploy your customized package by using standard means such as network shares, intranet sites, media such as CDs, or through a system management solution, such as Microsoft System Center Configuration Manager 2007. (You can also control the configuration of Internet Explorer by using Group Policy.
For more information, see Learning about Group Policy objects that control configuration settings for Internet Explorer 8 earlier in this section.
A few of the features and resources in the IEAK include:
Internet Explorer Customization Wizard. Step-by-step screens guide you through the process of creating customized browser packages that can be installed on client computers.
IEAK Profile Manager. After you deploy Internet Explorer, you can use the IEAK Profile Manager to change browser settings and restrictions automatically.
IEAK Toolkit. This toolkit contains a variety of helpful tools, programs, and sample files.
IEAK Help. The IEAK Help includes many conceptual and procedural topics that you can view by using the Contents and Search tabs. You can also print topics from IEAK Help.
For more information about the IEAK, see What Internet Explorer Administration Kit Can Do For You.
Procedures for controlling Internet Explorer in Windows 7 and Windows Server 2008 R2
The following subsections provide procedures for carrying out two types of tasks:
Controlling the browsers that are available for use in Windows 7 and Windows Server 2008 R2
Turning Internet Explorer Enhanced Security Configuration on or off
Setting the security level to High for specific Web sites
Procedures for controlling the Web browsers that are available for use in Windows 7 and Windows Server 2008 R2
This subsection provides information about controlling the browsers that are available for use in Windows 7 and Windows Server 2008 R2. Methods of controlling browser availability include:
Unattended installation by using an answer file
The Default Programs interface
To specify a browser during unattended installation by using an answer file
Use the methods that you prefer for unattended installation or remote installation to create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows 7 and Windows Server 2008 R2 later in this document.
Confirm that your answer file includes the following lines. If you already have a <ClientApplications> section in your answer file, the "Internet" line (the line containing information about your browser) should be included in the <ClientApplications> section rather than repeating the section.
<ClientApplications>
<Internet>browser_canonical_name</Internet>
</ClientApplications>
For browser_canonical_name, specify the canonical name that is coded into your Web browser.
To remove visible entry points to Internet Explorer during unattended installation by using an answer file
Use the methods that you prefer for unattended installation or remote installation to create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows 7 and Windows Server 2008 R2 later in this document.
Confirm that your answer file includes the following lines. If you already have a <WindowsFeatures> section in your answer file, the "ShowInternetExplorer" line should be included in the <WindowsFeatures> section rather than repeating the section.
<WindowsFeatures>
<ShowInternetExplorer>false</ShowInternetExplorer>
</WindowsFeatures>
Note
This procedure removes visible entry points to Internet Explorer, but it does not prevent Internet Explorer from running.
To specify a browser through the default programs interface
Click Start, click Control Panel, click Default Programs, and then click Set your default programs.
Under Programs (on the left), click the browser that you want to select as the default.
Note
For the preceding step, if the Web browser that you want to use does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate a program for Internet browsing, e-mail service, media playback, or instant messaging, see The Windows 7 and Windows Server 2008 R2 Developer Story: Application Compatibility Cookbook.
To use the selected program as the default for opening all file types and protocols, click Set this program as default.
As an alternative, you can click Choose defaults for this program, and then specify which file types and protocols the selected program should open by default.
Procedure for turning Internet Explorer enhanced security configuration on or off
Confirm that no instances of Internet Explorer are running (otherwise you will have to close and reopen all instances of Internet Explorer after you complete this procedure).
To turn Internet Explorer enhanced security configuration on or off
If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Confirm that Server Summary is expanded and that Security Information is expanded.
On the right, click Configure IE ESC.
Under Administrators, click On or Off, and under Users, click On or Off.
Procedures for setting the security level to high for specific Web sites
The procedures that follow provide information about how to set the security level for a particular Web site to High, which prevents actions such as running scripts and downloading files from the site.
For information about planning a configuration for your organization to control whether Internet Explorer allows downloads or allows plug-ins, ActiveX controls, or scripts to run, see Examples of the security-related features in Internet Explorer 8 and Learning about security and privacy settings in Internet Explorer 8 earlier in this section.
To configure a specific computer with a security level of high for specific sites
On the computer that you want to configure a security level of High for specific sites, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
Select Restricted sites.
Under Security level for this zone, make sure that the slider for the security level is set to High.
If the Internet Explorer Enhanced Security Configuration is turned on, the slider will be set to High, and it cannot be adjusted.
If the Internet Explorer Enhanced Security Configuration is turned off, the slider can be adjusted, and the security level can be set to a Custom level. If it is set to a Custom level, click Default Level, and then make sure that the slider for the security level is set to High.
With Restricted sites still selected, click Sites.
In Add this Web site to the zone, type the Web site address that you want to add to the list of Restricted sites. You can use an asterisk as a wildcard character. For example, for Web sites at Example.Example.com and www.Example.com, you could type:
https://*.Example.com
Click Add.
To use Group Policy to set the security level to high for specific sites that users in your organization might connect to
As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.
In Group Policy, expand User Configuration, expand Windows Settings, expand Internet Explorer Maintenance, and then click Security.
In the details pane, double-click Security Zones and Content Ratings.
Under Security Zones, click Import the current security zones and privacy settings, and then click Modify Settings.
Select Restricted sites.
Under Security level for this zone, make sure that the slider for the security level is set to High.
With Restricted sites still selected, click Sites.
In Add this Web site to the zone, type a Web site address that you want to restrict. You can use an asterisk as a wildcard character. For example, for Web sites at Example.Example.com and www.Example.com, you could type:
https://*.Example.com
Click the Add button.