|
|
ActiveX controls and plug-ins |
Secure settings for MS Internet software
Apply Restricted Zone to your email settings, Internet zone to default browser settings and add sites to trusted zones as required. See 'Securing your stand-alone machine/network PC' for details.
Click the links below for an explanation of the different Internet options in the security settings of Internet Explorer - Back button to return to the top.
|
|
ActiveX controls and plug-ins |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
Cookies |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
Downloads |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
Microsoft VM |
|
|
|
|
|
|
|
Custom |
|
|
|
|
Disable Java |
|
|
|
|
High safety |
|
|
|
|
Low safety |
|
|
|
|
Medium safety |
|
|
Miscellaneous |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
High safety |
|
|
|
|
Low safety |
|
|
|
|
Medium safety |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
Scripting |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
|
|
|
|
|
Disable |
|
|
|
|
Enable |
|
|
|
|
Prompt |
|
|
User Authentication |
|
|
|
|
|
|
|
Anonymous logon |
|
|
|
|
Automatic logon only in Intranet zone |
|
|
|
|
Automatic logon with current username and password |
|
|
|
|
Prompt for username and password |
Download signed ActiveX controls
This section allows users to decide whether to download signed ActiveX components. When a component is said to be signed, it means that the company that has written the controls has incorporated Microsoft's Authenticode technology into the control indicating that it is from a respected source. It is recommended that this option be disabled in your restricted zone as signed ActiveX controls can be hacked leaving the authorised signature intact. See securing your stand alone/network PC on the vulnerabilities of ActiveX controls. In the 'Trusted Sites' zone this option can be set to 'enable' or 'prompt' certainly in the 'Internet Zone' set this to 'prompt'.
Download unsigned ActiveX controls
Allows you to decide whether to download any unsigned ActiveX components. This should ALWAYS be set to disabled, except for the 'Trusted Site' zone, where the 'prompt' option should be used. This type of component can be EXTREMLY DANGEROUS to your computer, easily formatting your hard drive or implanting viruses - be very careful! Setting this to 'enable' will cause both safe and unsafe ActiveX controls to be initialized and scripted which ignores the 'Script ActiveX controls marked safe for scripting' option.
Initialize and script ActiveX controls not marked as safe
ActiveX controls are marked as safe or unsafe and this option determines whether scripts should interact with unsafe ActiveX components. It is recommended that the 'Restricted Site' zone be set to disabled, and in the 'Trusted Sites' and 'Internet' zones be set to 'prompt'. When a control is not marked as being safe, it means the company or individual that has written the control has not verified that the control is safe for scripting across the Internet - a dangerous control can do untold damage to your machine.
Run ActiveX controls and plug-ins
Determines whether ActiveX components can be run or not. This is independent from the download options (which determine whether the components are signed or not) and scripting (which is determined by the author of the control). If this is set to disabled then all other ActiveX controls are ignored. It is recommended that this option be disabled for the 'Restricted Sites' zone, as it is unnecessary to use ActiveX for email and set to 'prompt' in the 'Internet' zone and 'Enable' in the 'Trusted Sites' zone.
Script ActiveX controls that are safe for scripting
With this option you can decide whether a safe ActiveX control is allowed to interact with a script. If you have set the 'Initialize and script ActiveX controls not marked as safe' to 'Enable' this option is ignored, because that setting bypasses all object safety. Logically you cannot script unsafe controls whilst not scripting the safe ones. Set to 'Disable' in your 'Restricted Sites' zone, as all ActiveX components are unnecessary in emails - set to 'prompt' in 'Internet' zone and 'Enable' in 'Trusted Sites' zone (which, as mentioned before, should only contain those sites you feel to be entirely trusted).
Allow cookies that are stored on your computer
Cookies are small files that contain information to speed up your Internet browsing. This setting determines whether to allow them to be stored on your hard drive or not. Although cookies started out as innocent text files, they can now be used by malicious programmers to gain certain information about you - especially if the cookie programmer has used bad practice and has written personal data to the cookie rather than an obscure reference that only they can use. These cookies contain a expiration date, when they are supposed to be erased from the system, but often these dates are set well into the future - retaining the information that can be potentially abused. It is recommended that this be set to 'Disabled' in the 'Restricted Sites' zone, as cookies do not need to be in operation for emails (which is predominately what we are setting the 'Restricted Sites' zone for) set to 'prompt' in the 'Internet' zone and 'enable' in the 'Trusted Sites' zone.
This type of cookie is not stored on your computer, they are only in existence whilst the browser is up and running. These session cookies are often used in shopping cart systems, and to that end some online shopping systems may not work if this setting is disabled. This type of cookie does not pose the same possible threat as that of the stored cookie. This option should be set to 'disable' in the 'Restricted Sites' zone, set to 'prompt' in the 'Internet' zone and set to 'enable' in the 'Trusted Sites' zone. Please note that with both types of cookie a 'prompt' setting will provide sometimes up to three or four prompts from some web pages, if you are visiting the same site repeatedly (and you feel that it can be trusted) then add it too your 'Trusted Sites' zone. Also, cookies can be deleted from your hard drive by using the Internet Explorer settings tool, by clicking on 'delete files' and ensuring that the 'delete all off-line content' option is ticked.
This allows you to decide whether files can be downloaded from within a specified zone. Downloaded files can contain viruses so file downloads should always be treated with caution. We recommend that you disable this option in your 'Restricted Sites' zone, and ensure whilst in the other zones you take care. Always run a virus check on any files you download before you open them, especially from sites that are not in your 'Trusted Sites' zone. Please note that this option applies to the zone which the site is in and not the link to the file, so even if you download a file purportedly from a 'Trusted' site it could actually come from an untrusted source!
On some web pages the font that is used is not able to be processed by Explorer, so it can download the appropriate font support. Set this to 'disable' in the 'Restricted Sites' zone and 'prompt' in the other zones.
Microsoft VM (Virtual Machine)
This section of the security options determines how the browser or email client handles Java applets, both the downloading of them and the running of them. If a control is downloaded from a different site than the page it is used on, the more restrictive of the two sites' zone settings is used. So if a page is in the 'Trusted Sites' zone and requests a Java applet from a site in the 'Internet' zone, then the settings for the 'Internet zone' will be used to control the Java applets functionality. The custom option allows the user to configure the following settings individually - although it is not advisable to alter the custom options unless you are an experienced user.
The Low Safety option enables applets to perform all operations unhindered, whilst the Medium Safety option enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls) and enables capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file Input/Output. The High Safety option enables applets to run in their sandbox only, whilst the Disable Java option does not allow any applets to run. It is recommended that you set the option to 'disable' in your 'Restricted Sites' zone and set it to 'high' in both your 'Internet' and 'Trusted Sites' zones.
Access data sources across domains
This setting determines whether or not the zone can connect data control components to a data source on another domain to the one the controls are based on. Disable this for your 'Restricted Sites' zone and set it to 'prompt' in the 'Internet' zone. If you know that you use a cross domain data source on a regular basis, then add the site(s) to the 'Trusted Sites' zone and set this option to 'enable' within that zone.
Drag and drop or copy and paste file
This controls whether the zone allows the user to drag and drop or copy and paste files to the local machine, set this to 'prompt' in all zones.
Some versions of Microsoft Windows come with an 'Active Desktop' feature, which allows automatic download and update of information displayed on the desktop. This option controls whether or not the Active Desktop feature can download and install components from web sites. It is recommended that this option be set to disable in the 'Restricted Sites' zone and set to 'prompt' in the 'Internet' and 'Trusted Sites' zone.
Launching programs or files in an IFRAME
This option determines whether web pages that include an IFRAME tag can open the requested file or document within the page. Set this to 'disable' within the 'Restricted Sites' zone, set to 'prompt' in the 'Internet' zone and 'enable' within the 'Trusted Sites' zone.
Navigate sub-frames across different domains
This option determines whether a frame set can call web pages into the frames from different domains. Disable this option in the 'Restricted Sites' zone and enable it in the other zones.
This allows the user to specify the level of security assigned to software distribution channels for the zone. The 'Low Safety' option allows the automatic download or installation of software, from software channels, without prompting. To allow the software to be automatically downloaded without prompting, but not installed automatically select the 'Medium Safety' option. The 'High Safety' option allows notification, but not automatic installation or download of software. This option should be set to 'Medium Safety' in the 'Internet' and 'Trusted Sites' zone and 'High Safety' in the 'Restricted Sites' zone.
Submit non-encrypted form data
This specifies whether web pages in the zone can be allowed to send non-encrypted form data. This does not apply to data sent to SSL servers, which by definition are encrypted. Always be wary of where you send data in forms to. 'Restricted Sites' should be set to 'disable' whilst other zones can be set to 'prompt'.
This allows certain user data from XML pages to be retained when the browser is shut down. Set this to 'disable' in your 'Restricted Sites' zone and 'enable' in the other zones. The security issues arise when more than one person uses a particular machine for browsing the Internet.
This option determines whether scripts can be run in this zone. For the 'Restricted Sites' zone, ensure this is set to disable, as it is unnecessary for scripts to be run in email. The 'Internet' zone should be set to 'prompt' and 'Trusted Sites' zone can be set to 'enable'.
Allow paste operations via scripts
This option is enabled by default, but should be set to prompt as it can pose a big security risk. Basically this option, when enabled, can give unscrupulous people access to the contents of your Windows clipboard. Ensure this is set to 'disable' in the 'Restricted Sites' zone and set to 'prompt' in the other zones.
This setting determines whether scripts in the zone are allowed to use objects that exist within Java applets which allows the script to interact with the applet. Set this to 'disable' for the 'Restricted Sites' zone and 'prompt' in the other zones.
HTTP authentication honours the zone security policy for Logon credentials, which may have one of four values:
Automatic logon only in intranet zone. Prompts for user ID and password in other zones. After the user is prompted, this value can be used silently for the remainder of the session.
Anonymous Logon. Disables HTTP authentication; uses guest account only for Common Internet File System (CIFS). Prompt for username and password.
Prompts for user ID and password. After the user is prompted, this value may be used silently for the remainder of the session.
Automatic logon with current username and password. The logon credential may be tried silently by Windows NT Challenge response (NTLM), an authentication protocol between an end-user client and application server, before prompting.
We recommend that you set this option to 'prompts for user ID and password' in all zones as there are a number of security risks if you don't. Firstly, if you set it to automatically logon then your computer will send your encrypted password across the Internet upon request - which may well have been requested by a malicious source. Secondly, when the password is stored it can allow another user of your machine to access web-sites masquerading as you!
Opening Page < Previous - Next > Opening Page
(c) Copyright Andrew Bennett 2006
