Managing Which Files Internet Explorer Downloads

Java, JavaScript, VBScript, and ActiveX

Java is a language for developing small applications (called applets) that can be downloaded over the Web, so that they can be executed by your computer. JavaScript is a language for embedding small programs called scripts in web pages. VBScript , a language that resembles Microsoft's Visual Basic, can be used to add scripts to pages that are displayed by Internet Explorer. Anything that VBScript can do, JavaScript (which Microsoft calls JScript .NET) can do, too, and vice versa.

ActiveX controls , like Java, are a way to embed executable programs into a web page. Unlike Java and JavaScript, ActiveX is a Microsoft system that is not used by Mozilla Firefox except in some work done by the Mozilla ActiveX Project (http://www.iol.ie/~locka/mozilla/mozilla.htm). When Internet Explorer encounters a web page that uses ActiveX controls, it checks to see whether that particular control is already installed; if it is not, Internet Explorer installs the control on your machine.

Internet Explorer's Zones

Internet Explorer's security policy is based on trust, and the decisions that you make involve who to trust and who not to trust. For example, when a web page wants to run an ActiveX control on your machine, Internet Explorer verifies who wrote the control (Microsoft, for example) and that it hasn't been tampered with. It doesn't consider what the control intends to do or what privileges it requests on your system (rewriting files, for example). Instead, it asks you whether you trust its author.

To determine who to trust, Internet Explorer divides the world into four zones:

• Internet Includes all sites that are not in one of the other three zones. Objects from this zone generally are given the medium level of access to your computer.

• Local Intranet Contains computers on your local network. They're usually considered fairly trustworthy, and objects are given a medium level of access to your computer.

• Trusted Sites Includes the sites that you or Microsoft have listed as trustworthy. Objects from this zone generally are given the highest level of access to your computer.

• Restricted Sites Includes the sites that you have listed as untrustworthy. Objects from this zone are given the lowest level of access to your computer. Don't change the access level of this zone to grant higher access.

Downloaded ActiveX controls and other executable objects can and should be signed by their authors, using a certificate scheme similar to that used for validating remote servers.

For each of the four zones into which a web page can fall, you can set the security to high, medium, medium-low, or low. For each zone, you can set exactly which remote operations you're willing to perform. To prevent downloading and running software that might infect your system with a virus, see the section "Preventing Infection by Viruses" earlier in this chapter.

Controlling Your Download Security

The rules governing scripts and applets are set zone by zone on the Security tab of the Internet Options dialog box. To examine or change these settings:

1. Open the Internet Options dialog box by selecting Tools Internet Options from the Internet Explorer menu bar.

2. Click the Security tab of the Internet Options dialog box (as shown in Figure 33-3).

   
   Figure 33-3: Security tab of the Internet Options dialog box.

3. Select the security zone you want to examine or change. The rest of the information on the Security tab changes to show the settings for that zone.

4. If you want to change the general security setting of the zone without specifying how to handle specific web page elements, move the slider on the Security tab of the Internet Options dialog box. (The slider doesn't appear if the zone has been given custom settings. To reset such a zone to one of the standard settings, click the Default Level button. When the slider reappears, you can move it to the desired setting.)

5. If you want to specify how to handle specific web page elements, click the Custom Level button to display the Security Settings dialog box, shown in Figure 33-4. Scroll through the settings until you see the item you want to change. Change an item by selecting or deselecting its check box or by selecting a different radio button from the current selection.

   
   Figure 33-4: Enabling and disabling web page elements for a security zone.

6. Click OK to close each open dialog box. Click Yes in the confirmation box that asks if you want to change the security settings.

Controlling Which Web Sites Are in the Trusted Sites and Restricted Sites Zones

The Trusted Sites and Restricted Sites zones start with no web sites listed; you must specify the web sites to include in these zones. To specify sites, select the zone to which you want to add sites and click Sites on the Security tab of the Internet Options dialog box. You see the Trusted Sites or the Restricted Sites dialog box, the first of which is shown in Figure 33-5. To add a new site, type its full address, starting with http:// or https :// , into the Add This Website To The Zone box and click Add. The web site appears in the Websites list. To remove a site, select it in the Websites list and click Remove. You can require a verified secure connection to all sites in this zone by clicking the Require Server Verification (https:) For All Sites In This Zone check box at the bottom of the dialog box; when selected, this setting prevents you from adding any sites that don't support HTTPS, which is described in "Securing Your Web Communication with Encryption and Certificates" later in this chapter.

Figure 33-5: Adding sites to the Trusted Sites zone.

Managing Java and JavaScript

The security settings that affect how Internet Explorer deals with Java and JavaScript programs are in the Microsoft VM and Scripting sections of the Security Settings dialog box. Follow these steps:

1. On the Security tab of the Internet Options dialog box, click the zone for which you want to change or see the settings.

2. Click the Custom Level button to display the Security Settings dialog box. You may change what these applets and scripts are allowed to do on your computer, or even disable Java or JavaScript entirely, by choosing Disable (Internet Explorer does not run this type of program downloaded from this zone), Enable (Internet Explorer does run this type of program downloaded from this zone), or Prompt (ask before running the program).

Managing ActiveX Controls

We have never been big fans of ActiveX controls. They allow web sites to have too much power over your system and are hard to monitor. If you should happen to download and install a rogue ActiveX control by mistake, it could (on its own) download and install lots more rogue ActiveX controls-which would then be permanent parts of your software environment, even when you are offline. None of this would appear the least bit suspicious to any virus-detecting software you might own, because ActiveX controls aren't viruses: they have the same status as applications that you install yourself.

Disabling ActiveX controls is one option, as described in the previous section. However, if you frequent Microsoft web sites like http://www.Office.microsoft.com and Windowsupdate http://www.microsoft.com, you will be exposed to numerous temptations to turn them back on. We suggest the following compromise: Disable ActiveX controls everywhere but in the Trusted Sites security zone. (Do this from the Security Settings dialog box, following the steps in the previous section.) When you find a Microsoft web site that offers some wonderful service involving ActiveX controls, move that site into the Trusted Sites security zone.

ActiveX controls are stored in the folder C:\Windows\Downloaded Program Files (if Windows is installed in C:\Windows). If you use Internet Explorer, you should check this file periodically to see what applications Internet Explorer has downloaded. Dispose of an ActiveX control by right-clicking its icon and selecting Remove from the shortcut menu.