Managing Internet Explorer s Security and Privacy Settings

How Does Internet Explorer Implement Privacy Policies?

The Privacy tab of the Internet Options dialog box contains a slider that you can set to one of six levels, from Accept All Cookies to Block All Cookies. The default level is Medium. The descriptions of these levels are phrased using technical terms like personally identifiable information, implicit consent, explicit consent , and compact privacy policy. What follows is our interpretation of what these levels actually mean:

• Block All Cookies At this level you are unable to log in to access Hotmail, or a Yahoo home page, or to use a subscription to the online Wall Street Journal. You could make this setting tolerable if you could create exceptions for your favorite web sites, but Microsoft has disabled the exception-making capability for this setting.

• High Cookies are only accepted from web sites that offer P3P information, and then only if that information says that they don't keep track of information that would identify you personally (like your name , for example, or your phone number) unless you've explicitly given them permission to do so. At this level we could log into Hotmail and Yahoo, but not The Wall Street Journal.

• Medium High Same as High, except that first-party cookies are accepted from web sites that use personally identifiable information without your explicit consent, if they somehow allow you to opt out of this usage. (In general, we don't like opt-out processes. They require too much alertness and diligence on your part.) At this level we could see The Wall Street Journal.

• Medium Allows third-party cookies that let you opt out of their use of personally identifiable information. Restricts first-party cookies that use personally identifiable information without letting you opt out. (We have no idea what the difference between "restrict" and "block" is.)

• Low Accepts all first-party cookies. Restricts third-party cookies from web sites that don't offer P3P information or that don't let you opt out of their use of personally identifiable information.

• Accept All Cookies Accepts all cookies without asking you.

What Is a Sensible Cookie Policy?

First we'll tell you what you don't want: You don't want to block all cookies, because you give up much of the functionality and convenience of the Web. You also don't want Internet Explorer to ask you what to do every time a web site wants to set a cookie, because you'll spend more time deciding about cookies than you'll spend reading web pages.

You do want to make a distinction between first-party and third-party cookies, because third-party cookies benefit only the advertisers, not you.

The cookie policy we'd like to have is Medium High for first-party cookies, and block third-party cookies altogether. This does not seem to be possible with Internet Explorer. Given that fact, we recommend the following policy: accept all first-party cookies and block all third-party cookies. This isn't one of the six levels on the slider, but you can configure Internet Explorer to do it.

Another reasonable option (but somewhat more difficult to set up) is to select the High level and then create exceptions for a few favorite web sites whose cookies are blocked. This policy allows a few more third-party cookies and a few less first-party cookies than the policy suggested in the previous paragraph. However, this option stops many shopping sites from working, because the sites use shopping-cart programs hosted on third-party web sites. (Another options is to use Netscape instead of IE, because of its more flexible cookie policies.)

Setting Cookie Policy

Cookie policy is controlled from the Privacy tab of the Internet Options dialog box. If you want one of the settings described in the previous section, move the slider to that setting and click OK.

If you want to set up our recommended cookie policy (allow first-party and block third-party cookies), do the following:

1. Select Tools Internet Options to open the Internet Options dialog box.

2. Select the Privacy tab (see Figure 26-15).

   
   Figure 26-15: Setting IE's privacy options.

3. Click the Advanced button on the Privacy tab. The Advanced Privacy Settings dialog box appears.

4. Check the Override Automatic Cookie Handling box.

5. Select the Accept radio button under First-Party Cookies and the Block radio button under Third-Party Cookies.

6. Click OK in both of the open dialog boxes.

If a particular web site is not working because its cookies are being blocked, you can choose to create an exception for it without changing your settings for other web sites. (For reasons that escape us, Microsoft has made this option unavailable if you have chosen the Block All Cookies setting.) Do the following:

1. Select Tools Internet Options to open the Internet Options dialog box.

2. Select the Privacy tab.

3. Click the Sites button on the Privacy tab. The Per Site Privacy Actions dialog box opens.

4. Type the URL of the web site into the Address Of Web Site line.

5. Click the Allow button and click OK in both open dialog boxes.

If you want to block the cookies on a particular web site when your overall policy would allow them, do the previous steps, but click the Block button in Step 5.

Managing the Cookies You Have

Windows stores your cookies in two folders:

• C:\Users\Mseraame\Cookies

• C:\Users\Mseraame\Local SettingsX Temporary Internet Files

Reading a cookie in WordPad or some other text program probably will not tell you much, though it may set your mind at ease to realize just how little information is there (see "Taking Advantage of Free Word Processing with WordPad" in Chapter 18). Delete individual cookies from your system by deleting the corresponding text files, or nuke them all by clicking the Delete button on the General tab of the Internet Options dialog box and then clicking Delete Cookies in the Delete Browsing History dialog box. Click Yes when asked if you are sure you want to delete them. Click OK twice.

What Are Java, JavaScript, VBScript, and ActiveX?

Java is a language for sending small applications (called applets) over the Web so that they can be executed by your computer. JavaScript is a language for extending HTML to embed small programs called scripts in web pages. VBScript , a language that resembles Microsoft's Visual Basic, can be used to add scripts to pages that are displayed by Internet Explorer. Anything that VBScript can do, JavaScript (which Microsoft calls JScript) can do, too, and vice versa.

ActiveX controls , like Java, are a way to embed executable programs into a web page. Unlike Java and JavaScript, but like VBScript, ActiveX is a Microsoft system that is not used by all browsers. When Internet Explorer encounters a web page that uses ActiveX controls, it checks to see whether that particular control is already installed; if it is not, IE asks whether you want to install the control on your machine using the Information Bar at the top of the IE Viewer area. Click the Information Bar and then click Install ActiveX Control to download and install the control.

Security Zones

Internet Explorer has different security settings for its four zones: Trusted Sites, Local Intranet, Internet, and Restricted Sites. The default settings are Low in the Trusted Sites zone, Medium-Low in the Local Intranet zone, Medium in the Internet zone, and High in the Restricted Sites zone. These zones and settings are discussed Chapter 33.

The rules governing scripts and applets are set zone by zone on the Security tab of the Internet Options dialog box. To examine or change these settings:

1. Open the Internet Options dialog box by selecting Tools Internet Options from the Internet Explorer menu bar.

2. Click the Security tab of the Internet Options dialog box.

3. Select the zone you want to examine or change.

4. If you want to change the security setting of a zone, move the slider on the Security tab of the Internet Options dialog box. (The slider doesn't appear if the zone has been given custom settings. To reset such a zone to one of the standard settings, click the Default Level button. When the slider reappears, you can move it to the desired setting.)

5. To see the nitty-gritty details of the current security settings for the selected zone, click the Custom Level button. The Security Settings dialog box opens.

6. If you want to change the security settings of the selected zone, scroll through the Security Settings dialog box until you see the item you want to change. Change an item by checking or unchecking its check box, or by selecting a different radio button than the current selection.

7. Click OK to close each open dialog box. Click Yes in the confirmation box that asks if you want to change the security settings.

Managing Java and JavaScript

The security settings that affect Java and JavaScript are in the Java and Scripting sections of the Security Settings dialog box. You may change what these applets and scripts are allowed to do on your computer, or even disable Java or JavaScript entirely. Follow the steps in the previous section.

Managing ActiveX Controls

We have never been big fans of ActiveX controls. They allow web sites to have too much power over your system and are hard to monitor. If you should happen to download and install a rogue ActiveX control by mistake, it could (on its own) download and install lots more rogue ActiveX controls-which would then be permanent parts of your software environment, even when you are offline. None of this would appear the least bit suspicious to any virus-detecting software you might own, because ActiveX controls aren't viruses: they have the same status as applications that you install yourself.

Disabling ActiveX controls is one option. However, if you frequent Microsoft web sites like MSN or MSNBC, you will be exposed to numerous temptations to turn them back on. We suggest the following compromise: Disable ActiveX controls everywhere but in the

Trusted Sites security zone. (Do this from the Security Settings dialog box, following the steps in the "Security Zones" section above.) When you find a Microsoft web site that offers some wonderful service involving ActiveX controls, move that site into the Trusted Sites security zone. See Chapter 33 for a discussion of security zones and trusted sites.

ActiveX controls are stored in the folder C:\Windows\Downloaded Program Files. If you use Internet Explorer, you should check this file periodically to see what applications Internet Explorer has downloaded. Dispose of an ActiveX control by right-clicking its icon and selecting Remove from the shortcut menu.