Security Settings in Internet Explorer 6

Security Settings in Internet Explorer 6

The Web browser has become a mission-critical application for nearly all organizations. Unfortunately, browsing Web sites on the Internet also can be a major security risk because Web browsers provide attackers with direct access to an organization s local area network (LAN). Fortunately, Internet Explorer enables administrators to easily configure privacy and security settings, and enables knowledgeable users to view privacy and security information to make decisions on whether to trust specific Web sites.

Privacy Settings

In April 2002, the World Wide Web Consortium (W3C) found at http://www.w3c.org ratified the Platform for Privacy Preferences Project (P3P), an industry standard providing a simple, automated way for users to gain more control over the use of their personal information on Web sites they visit. Internet Explorer 6 fully supports P3P version 1.0. P3P helps protect the privacy of users personal information on the Internet by making it easier for users to decide whether and under which circumstances personal information is disclosed to Web sites.

In Internet Explorer 6, users can define their privacy preferences for disclosing personal information. When users browse Web sites, Internet Explorer determines whether those sites abide by the P3P privacy standards. If the Web site does support P3P standards, Internet Explorer compares the user s privacy preferences to the Web site s privacy policy information. To be P3P compliant, a Web site must provide a clear definition of its privacy policies, including these:

• The organization that is collecting information about users

• The type of information that is being collected

• What the information will be used for

• Whether the information will be shared with other organizations

• Whether users can access the information about them and change how the organization will use that information

• The method for resolving disputes between users and the organization

• How the organization will retain the collected information

• Where the organization publicly maintains detailed information that users can read about their privacy policies

Internet Explorer 6 includes a new Privacy Report option on its View menu. This option enables users to view P3P privacy information known as a privacy report on P3P-compliant Web sites. For example, to view the privacy report for the Microsoft Web site, follow these steps:

1. Open Internet Explorer.

2. In the Address box, type http://www.microsoft.com.

3. Click View, and then click Privacy Report.

4. From the Web Sites With Content On The Current Page box, select http://www.microsoft.com and then click Summary.

Figure 10-1 shows the privacy report for the Microsoft Web site.

Figure 10-1. P3P privacy report for Microsoft.com

In addition to viewing P3P-compliant Web site privacy reports, Internet Explorer 6 enables P3P support for user cookie management. A cookie is a small file that an individual Web site stores on your computer. Web sites can use cookies to maintain information and settings, such as your customization preferences. Two types of cookies exist: persistent cookies and session cookies. Persistent cookies include an expiration date that identifies when the browser can delete them. Session cookies do not have an expiration date; they are deleted when the user closes the browser.

Internet Explorer 6 includes advanced cookie management capabilities that determine whether cookies can be stored on a user s computer. When you configure your privacy preferences, you can configure Internet Explorer to handle cookies in the following ways:

• Prevent all cookies from being stored on your computer.

  This setting might prevent you from viewing certain Web sites, such as e-commerce Web sites that save shopping cart information in cookies.

• Block or restrict first-party cookies.

  First-party cookies originate in the same domain as the Web site being visited. This setting blocks those cookies.

• Block or restrict third-party cookies.

  Third-party cookies do not originate in the same domain as the Web site being visited and therefore are not covered by that Web site s privacy policy. For example, many Web sites contain advertising from third-party sites that use cookies. This setting blocks those cookies.

• Use the Allow option.

  Enabling this option permits Web sites to place cookies on your computer without notifying you. Previous versions of Internet Explorer included a similar option.

• Use the Prompt option.

  This option enables you to determine on a cookie-by-cookie basis whether to allow the cookie to be placed on your hard drive.

An additional option enables you to always allow session cookies. Figure 10-2 shows the Advanced Privacy Settings user interface on which you can configure cookie management in Internet Explorer 6.

Figure 10-2. Advanced Privacy Settings user interface in Internet Explorer 6

For convenience, Internet Explorer 6 offers six predefined privacy configurations and an option to create a custom configuration. By default, Internet Explorer 6 is set to Medium for sites in the Internet zone. (We will discuss the Internet zone later in this chapter.) In addition to the predefined configurations, you can override the settings for individual Web sites on the Privacy tab of the Internet Options menu item (from the Tools menu). These are the predefined privacy configurations:

• Block All Cookies

  Prevents all Web sites from storing cookies on your computer, and Web sites cannot read existing cookies on your computer. Per-site privacy actions do not override these settings. This setting can prevent some Web sites from being viewed or Web applications from working correctly.

• High

  Prevents Web sites from storing cookies that do not have a compact privacy policy a condensed, computer-readable P3P privacy statement. The browser prevents Web sites from storing cookies that use personally identifiable information without your explicit consent. Per-site privacy actions override these settings.

• Medium High

  Prevents Web sites from storing third-party cookies that do not have a compact privacy policy or that use personally identifiable information without your explicit consent. The browser prevents Web sites from storing first-party cookies that use personally identifiable information without your implicit consent. The browser also restricts access to first-party cookies that do not have a compact privacy policy so that they can be read only in the first-party context. Per-site privacy actions override these settings.

• Medium (default)

  Prevents Web sites from storing third-party cookies that do not have a compact privacy policy or that use personally identifiable information without your implicit consent. The browser allows first-party cookies that use personally identifiable information without your implicit consent but deletes these cookies from your computer when you close the browser. The browser also restricts access to first-party cookies that do not have a compact privacy policy so that they can be read only in the first-party context. Per-site privacy actions override these settings.

• Low

  Allows Web sites to store cookies on your computer, including third-party cookies that do not have a compact privacy policy or that use personally identifiable information without your implicit consent. However, closing the browser deletes these third-party cookies from your computer. The browser also restricts access to first-party cookies that do not have a compact privacy policy so that they can be read only in the first-party context. Per-site privacy actions override these settings.

• Accept All Cookies

  Allows all Web sites to store cookies on your computer, and allows Web sites that create cookies on your computer to read them. Per-site privacy actions do not override these settings.

Security Zones

On most networks, the Web browser on a user s computer is an open communication channel from the Internet directly to the computer and the local network the computer is attached to. A malicious attacker can embed scripts in a Web site that, when viewed, attack the computer or the local network of the user browsing that Web site. To prevent attacks delivered through Web sites, you can use Internet Explorer security settings, which are configured by using security zones. Security zones in Internet Explorer are flexible and customizable, enabling you to configure browser security while maintaining Web site functionality.

Security zones group Web sites into categories based on levels of trust. When using Internet Explorer to browse Web sites, the security zone of the Web is displayed in the lower right-hand corner of the Internet Explorer System bar, as shown in Figure 10-3.

Figure 10-3. Viewing the current security zone in Internet Explorer

You can use four predefined levels of security with these security zones:

• High

  Greatly restricts what you can do when browsing Web sites, including disabling all Microsoft ActiveX and Java content. This security setting disables Active Scripting. (We will discuss Active Scripting later in this section.)

• Medium

  Provides a moderate level of protection, including preventing unsigned ActiveX controls from being downloaded and prompting users for confirmation when downloading any ActiveX content. Active Scripting is enabled in this security setting. This level sets Java security to High.

• Medium-Low

  Provides the same level of protection for non-Java content that the Medium security level does, without prompting the user for as many of the security options. This level sets Java security to Medium.

• Low

  Provides little to no security control over Web site content. This level sets Java security to Low. You should not use this security level.

Table 10-1 shows the security configuration of the predefined security zones in Internet Explorer 6. We will discuss these security options in more detail momentarily. In addition to the predefined security levels, as mentioned earlier, you can create a custom level of security and assign it to a security zone.

Table 10-1. Default Security Zones in Internet Explorer 6

Security Option	Low	Medium-Low	Medium	High
Download Signed ActiveX Controls	Enable	Prompt	Prompt	Disable
Download Unsigned ActiveX Controls	Prompt	Disable	Disable	Disable
Initialize And Script ActiveX Controls Not Marked As Safe	Prompt	Disable	Disable	Disable
Run ActiveX Controls And Plug-Ins	Enable	Enable	Enable	Disable
Script ActiveX Controls Marked Safe For Scripting	Enable	Enable	Enable	Disable
File Download	Enable	Enable	Enable	Disable
Font Download	Enable	Enable	Enable	Prompt
Microsoft VM Java Permissions	Low safety	Medium safety	High safety	Disable Java
Access Data Sources Across Domains	Enable	Prompt	Disable	Disable
Allow META REFRESH	Enable	Enable	Enable	Disable
Display Mixed Content	Prompt	Prompt	Prompt	Prompt
Don t Prompt For Client Certificate Selection When No Certificates Or Only One Certificate Exists	Enable	Enable	Disable	Disable
Drag And Drop Or Copy And Paste Files	Enable	Enable	Enable	Prompt
Installation Of Desktop Items	Enable	Prompt	Prompt	Disable
Launching Programs And Files In An IFRAME	Enable	Prompt	Prompt	Disable
Navigate Subframes Across Different Domains	Enable	Enable	Enable	Disable
Software Channel Permissions	Low safety	Medium safety	Medium safety	High safety
Submit Nonencrypted Form Data	Enable	Enable	Prompt	Prompt
Userdata Persistence	Enable	Enable	Enable	Disable
Active Scripting	Enable	Enable	Enable	Disable
Allow Paste Operations Via Script	Enable	Enable	Enable	Disable
Scripting Of Java Applets	Enable	Enable	Enable	Disable
User Authentication	Automatic logon only in Intranet zone	Automatic logon only in Intranet zone	Automatic logon with current user name and password	Prompt for user name and password

When configuring security zones, you must remember that although security zones are configured and maintained in Internet Explorer, they also apply to other applications, such as Office XP; Microsoft Outlook Express and Microsoft Outlook Preview Pane and HTML messages; and HTML Help applications. These are the default security zones in Internet Explorer:

• Local Intranet

  The Local Intranet zone applies to all local Internet domains, Web sites that bypass the proxy server, dotless IP addresses, and all Universal Naming Convention (UNC) paths. Internet domains are considered local based on the domains listed in the Domain Name System (DNS) suffix search order in the TCP/IP properties. The Web sites that bypass the proxy server are defined as local on the Connections tab of Internet Options, which is often configured by the proxy server or firewall. By default, the security on this zone is set to Medium-Low. In addition, you can add sites to the Local Intranet zone this way:

  1. Open Internet Explorer.

  2. Open the Tools menu and then select Internet Options.

  3. Click the Security tab of the Internet Options window; then click the Local Intranet zone icon.

  4. Click Sites; then click Advanced.

  5. Enter the name of the site to add to the Local Intranet zone in the Local Intranet window. Click OK and close all open windows.

• Trusted Sites

  The Trusted Sites zone applies only to Web sites added to it. By default, all Web sites placed in this zone must use https://, meaning that they are protected by Secure Sockets Layer (SSL) or Transport Layer Security (TLS), to verify the confidentiality and integrity of the data coming from the Web site as well as to authenticate the Web site itself. You can remove this restriction but should do so only if absolutely required. The security on this zone is set to Low by default and contains no Web sites.

• Restricted Sites

  The Restricted Sites zone applies only to Web sites added to it. The security level on this zone is set to High by default. Sites in this zone are given little trust.

• Internet

  The Internet zone applies to all Web sites not defined in any other security zone. By default, the security on this zone is set to Medium only a limited amount of trust is given to Web sites in this zone. You should configure the security on this zone to meet your organization s business and technical needs.

  In addition to the four default security zones in Internet Explorer 5 and 6, a hidden security zone called My Computer contains security settings for unsigned ActiveX controls on the local computer. You can unhide the My Computer security zone by setting the registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Internet Settings\Zones\0\Flags to 0x47 or by running the Showallseczones.vbs tool located in the Tools\Scripts folder on the CD included with this book.

The security settings in Internet Explorer are divided into the following categories:

• ActiveX controls and plug-ins

• Downloads

• Microsoft VM

• Miscellaneous

• Scripting

• User authentication

Unfortunately, no one correct implementation of these settings exists for all users or all organizations. You must analyze the business and technical requirements of your organization to configure these security settings in Internet Explorer.

ActiveX Controls and Plug-Ins

ActiveX controls enable Web sites to deliver interactive context to users through Internet Explorer. The ActiveX controls and plug-ins section of Internet Explorer 6 security includes settings for how Internet Explorer approves, downloads, runs, and scripts ActiveX controls. If a user downloads an ActiveX control that is hosted on a Web site that belongs to a different security zone from the page on which it is used, Internet Explorer applies the more restrictive of the two sites security zone settings. These are the ActiveX security settings:

• Download Signed ActiveX Controls

  This option determines whether users can download signed ActiveX controls from a page in the specified security zone. You can choose from the following settings:

  • Disable Prevents all signed controls from downloading. Although this setting will greatly enhance the security of Internet Explorer, it can prevent users from accessing Internet resources they need to use to complete their job functions.

  • Enable Downloads valid signed controls without user intervention and prompts users to choose whether to download signed controls that have been revoked or have expired.

  • Prompt Prompts users to choose whether to download controls signed by publishers who are not trusted. Controls signed by trusted publishers are silently downloaded even if this option is selected.

• Download Unsigned ActiveX Controls

  Determines whether users can download unsigned ActiveX controls from the zone. Unsigned controls are potentially harmful, especially when they come from an untrusted Web site. You can choose from the following settings:

  • Disable Prevents unsigned controls from running. You should always disable the downloading of unsigned ActiveX controls.

  • Enable Runs unsigned controls without user intervention.

  • Prompt Prompts users to choose whether to allow the unsigned control to run. You should enable this setting only for the Trusted Sites or My Computer zone when you have a specific reason, such as testing an ActiveX control in the development process.

• Initialize And Script ActiveX Controls Not Marked As Safe

  ActiveX controls are classified as either trusted or untrusted. This option controls whether a script can interact with untrusted controls in the security zone. Untrusted controls are not meant for use on Internet pages, but some Web sites might require them. Object safety should be enforced unless you can trust all ActiveX controls and scripts on pages in the zone. You can set this option to one of the following:

  • Disable Enforces object safety for untrusted data or scripts. ActiveX controls that cannot be trusted are not loaded with parameters or scripted.

  • Enable Overrides object safety. ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes Internet Explorer to initialize and script both untrusted and trusted controls and to ignore the Script ActiveX Controls Marked Safe For Scripting option, thus removing all security for controls not marked as safe.

  • Prompt Attempts to enforce object safety. However, if ActiveX controls cannot be made safe for untrusted data or scripts, users are given the option of allowing the control to be loaded with parameters or to be scripted.

• Run ActiveX Controls And Plug-Ins

  This option determines whether Internet Explorer can run ActiveX controls and plug-ins from pages in the security zone. You can set this option to the following:

  • Administrator Approved Runs only those controls and plug-ins that you have approved for your users. To select the list of approved controls and plug-ins, use Internet Explorer System Policies And Restrictions. The Control Management category of policies enables you to manage these controls.

  • Disable Prevents controls and plug-ins from running.

  • Enable Runs controls and plug-ins without user intervention.

  • Prompt Prompts users to choose whether to allow the controls or plug-ins to run.

• Script ActiveX Controls Marked Safe For Scripting

  This option determines whether an ActiveX control that is marked safe for scripting can interact with a script. This option affects only controls that are loaded with <param> tags. You can choose from the following settings:

  • Disable Prevents script interaction

  • EnableAllows script interaction without user intervention

  • Prompt Prompts users to choose whether to allow script interaction

Download Options

The Download options specify how Internet Explorer downloads files and fonts. These are the two options:

• File Download

  Controls whether file downloads are permitted based on the security zone of the Web page that contains the download link, not the zone from which the file originated. You can set this option to the following:

  • Disable Prevents files from being downloaded from the zone

  • Enable Allows files to be downloaded from the zone

• Font Download

  Determines whether Web pages within the zone can download HTML fonts. You can set this option to the following:

  • Disable Prevents HTML fonts from being downloaded

  • Enable Downloads HTML fonts without user intervention

  • Prompt Prompts users to choose whether to allow the download of HTML font

Microsoft VM Options

The Microsoft virtual machine (VM) options enable you to configure security for Microsoft VM, which is compatible with Java applets and libraries. In Windows XP, this section is available only after you download and install the Java Virtual Machine. Unless you have Java applications that users access through Internet Explorer, you should set the Java security to the Disable Java option. You can set the Microsoft VM security level to one of the following options:

• Custom

  Enables you to control permissions manually

• Disable Java

  Prevents any Java applets from running

• High Safety

  Enables Java applets to run in their respective sandbox, which is an insolated place in memory.

• Low Safety

  Enables Java applets to perform all operations

• Medium Safety

  Enables applets to run in their respective sandbox and gives the applets other capabilities, such as access to scratch space and user-controlled file input and output

Miscellaneous Options

The Miscellaneous options control whether users can access data sources across domains, submit data by using nonencrypted forms, launch applications and files from IFRAME elements, install desktop items, drag and drop files, copy and paste files, and access software channel features from this zone. These are the options:

• Access Data Sources Across Domains

  Specifies whether components that connect to data sources should be allowed to connect to a different server to obtain data. You can set this option to the following:

  • Disable Allows database access only in the same domain as the Web page

  • Enable Allows database access to any source, including other domains

  • Prompt Prompts users before allowing database access to any source in other domains

• Allow META REFRESH

  Specifies whether Web pages can use meta-refreshes to reload pages after a preset delay. You can set this option to the following:

  • Disable Prevents Web pages from using meta-refreshes

  • Enable Allows Web pages to use meta-refreshes

• Display Mixed Content

  Specifies whether Web pages can display content from both secure and nonsecure servers. You can set this option to one of the following:

  • Disable Prevents Web pages from displaying nonsecure content.

  • Enable Allows Web pages to display both secure and nonsecure content.

  • Prompt Prompts users before allowing Web pages to display both secure and nonsecure content. You should set this option to prompt you when not everything on the Web site you are viewing is secured by SSL or TLS.

• Don t Prompt For Client Certificate Selection When No Certificates Or Only One Certificate Exists

  Specifies whether users are prompted to select a certificate when no trusted certificate or only one trusted certificate has been installed on the computer. You can choose from the following settings:

  • Disable Allows users to be prompted for a certificate

  • Enable Prevents users from being prompted for a certificate

• Drag And Drop Or Copy And Paste Files

  Controls whether users can drag and drop files, or copy and paste them, from Web pages within the zone. You can set this option to one of these:

  • Disable Prevents users from dragging and dropping files, or copying and pasting them, from the security zone

  • Enable Enables users to drag and drop files, or copy and paste them, from the security zone without being prompted

  • Prompt Prompts users to choose whether they can drag and drop files, or copy and paste them, from the security zone

• Installation Of Desktop Items

  Controls whether users can install desktop items from Web pages within the zone. You can choose one of these settings:

  • Disable Prevents users from installing desktop items from this zone

  • Enable Enables users to install desktop items from this zone without being prompted

  • Prompt Prompts users to choose whether they can install desktop items from this zone

• Launching Programs And Files In An IFRAME

  Controls whether users can launch programs and files from an IFRAME element (containing a directory or folder reference) in Web pages within the zone. You can choose from these settings:

  • Disable Prevents programs from running and files from downloading from IFRAME elements on Web pages in the zone

  • Enable Runs programs and downloads files from IFRAME elements on Web pages in the zone without user intervention

  • Prompt Prompts users to choose whether to run programs and download files from IFRAME elements on Web pages in the zone

• Navigate Subframes Across Different Domains

  Controls whether readers of a Web page can navigate the subframe of a window with a top-level document that resides in a different domain. You can set this option to one of the following choices:

  • Disable Allows users to navigate only among Web page subframes that reside in the same domain

  • Enable Allows users to navigate among all Web page subframes, regardless of the domain, without being prompted

  • Prompt Prompts users to choose whether to navigate among Web page subframes that reside in different domains

• Software Channel Permissions

  Controls the permissions given to software distribution channels. You can set this option to any of the following:

  • High Safety Prevents users from being notified about software updates by e-mail, prevents software packages from being automatically downloaded to users computers, and prevents software packages from being automatically installed on users computers.

  • Medium Safety Notifies users about software updates by e-mail, and allows software packages to be automatically downloaded to (but not installed on) users computers. The software packages must be validly signed; users are not prompted about the download.

  • Low Safety Notifies users about software updates by e-mail, allows software packages to be automatically downloaded to users computers, and allows software packages to be automatically installed on users computers.

• Submit Nonencrypted Form Data

  Determines whether HTML pages in the zone can submit forms to or accept them from servers in the zone. Forms sent with SSL encryption are always allowed; this setting affects only data that is submitted by non-SSL forms. You can choose from the following settings:

  • Disable Prevents information from forms on HTML pages in the zone from being submitted

  • EnableAllows information from forms on HTML pages in the zone to be submitted without user intervention

  • Prompt Prompts users to choose whether to allow information from forms on HTML pages in the zone to be submitted

• Userdata Persistence

  Determines whether a Web page can save a small file of personal information associated with the page to the computer. You can set this option to the following:

  • Disable Prevents a Web page from saving a small file of personal information to the computer

  • Enable Allows a Web page to save a small file of personal information to the computer

Scripting Options

The Scripting options specify how Internet Explorer handles scripts embedded in Web pages:

• Active Scripting

  Determines whether Internet Explorer can run script code on Web pages in the zone. You can set this option to one of the following:

  • Disable Prevents scripts from running

  • Enable Runs scripts without user intervention

  • Prompt Prompts users about whether to allow the scripts to run

• Allow Paste Operations Via Script

  Determines whether a Web page can cut, copy, and paste information from the Clipboard. You can choose one of the following settings:

  • Disable Prevents a Web page from cutting, copying, and pasting information from the Clipboard

  • Enable Allows a Web page to cut, copy, and paste information from the Clipboard without user intervention

  • Prompt Prompts users about whether to allow a Web page to cut, copy, or paste information from the Clipboard

• Scripting Of Java Applets

  Determines whether scripts within the zone can use objects that exist within Java applets. This capability allows a script on a Web page to interact with a Java applet. You can set this option to one of these:

  • Disable Prevents scripts from accessing applets

  • Enable Allows scripts to access applets without user intervention

  • Prompt Prompts users about whether to allow scripts to access applets

The User Authentication Option

Only one User Authentication option exists: the Logon option. This option controls how HTTP user authentication is handled. Logon has the following settings:

• Anonymous Logon

  Disables HTTP authentication and uses the guest account only for authentication by using the Common Internet File System (CIFS) protocol.

• Automatic Logon Only In Intranet Zone

  Prompts users for user IDs and passwords in other security zones. After users are prompted, these values can be used for the remainder of the session without user interaction.

• Automatic Logon With Current User Name And Password

  Attempts logon by using NT LAN Manager (NTLM) authentication. If NTLM is supported by the server, the logon uses the network user name and password for logon. If the server does not support NTLM, users are prompted to provide their user names and passwords. You should use this setting only for sites in the Intranet zone.

• Prompt For User Name And Password

  Always prompts users for user IDs and passwords. User names and passwords are cached for the remainder of the session.

In addition to the security settings in security zones, some global security settings apply to all security zones when using Internet Explorer. You can configure these global options on the Advanced tab of Internet Options. Here are the security settings on the Advanced tab and their default values:

• Check For Publisher s Certificate Revocation

  Internet Explorer will check the certificate revocation list (CRL) for the status of a software publisher s certificate when downloading ActiveX controls. This option is enabled by default.

• Check For Server Certificate Revocation

  Internet Explorer will check the CRL for Web sites that require SSL or TLS. Enabling this option might cause a slight delay in connecting to secure Web sites but adds to the security of browsing the Internet. This option is disabled by default.

• Check For Signatures On Downloaded Programs

  Internet Explorer will verify the digital signatures on ActiveX controls. This option is disabled by default.

• Do Not Save Encrypted Pages To Disk

  No Web pages or parts of Web pages viewed in a secure session will be saved in the Temporary Internet Files folder. This option should be enabled on all public computers or computers with high security requirements. This option is disabled by default.

• Empty Temporary Internet Files Folder When Browser Is Closed

  Deletes the contents of the Temporary Internet Files folder each time the Web browser is closed. This option should be enabled on all public computers or computers with high security requirements. This option is disabled by default.

• Enable Integrated Windows Authentication

  Only NTLM-based authentication methods will be used to authenticate users if prompted by the Web server. This option is disabled by default.

• Enable Profile Assistant

  Allows you to use the Profile Assistant to store and maintain personal information. This option is disabled by default.

• Use SSL 2.0

  Allows the use of SSL 2.0 for connections over secure channels. This option is enabled by default.

• Use SSL 3.0

  Allows the use of SSL 3.0 for connections over secure channels. This option is enabled by default.

• Use TLS 1.0

  Allows the use of TLS 1.0 for connections over secure channels. This option is disabled by default.

• Warn About Invalid Site Certificates

  Presents a message box to users, warning them that the secure Web site they are connecting to is using a certificate that is no longer valid. This option is enabled by default.

• Warn If Changing Between Secure And Not Secure Methods

  Presents a message box to users, warning them that they are moving between Web sites that either are secure or not secure. This option is enabled by default.

• Warn If Forms Submittal Is Being Redirected

  Presents a message box to users, warning them that Internet Explorer is being redirected to another Web site or location to retrieve content. This option is enabled by default.

Configuring Privacy and Security Settings in Internet Explorer 6

You can configure privacy and security settings in Internet Explorer manually though Internet Options from the Tools menu, during installation with the Internet Explorer Administration Kit (IEAK), or by using Group Policy. If you plan to deploy Internet Explorer in your organization, you should consider using the IEAK.

The IEAK is beyond the scope of this book, but you can get more information about it from the IEAK Web site at http://www.microsoft.com/windows/ieak/default.asp.

You can use Group Policy to manage the privacy and security settings in Internet Explorer on a per-user basis and control whether users can change settings on a per-user basis or a per-computer basis.

Group Policy in Windows 2000 enables you to centrally configure and manage Internet Explorer security on a per-user basis. To configure Internet Explorer privacy and security settings through Group Policy, open the Microsoft Management Console (MMC) on a computer running Windows XP and add the Group Policy snap-in. If you create a Group Policy object (GPO) on Windows 2000, you might not be able to configure the privacy settings unless you have Internet Explorer 6.0 or later installed.

After importing the security zones and privacy settings from the computer you are editing the GPO on, you can modify the settings and apply the GPO to a site, domain, or OU containing the user accounts that should be subject to the privacy and security settings. You can also export the settings into .ins and .cab files for use with the IEAK.

In addition to configuring the privacy and security zone settings, as a network administrator, you can configure whether the user can modify Internet Explorer security settings. You can configure the following settings in the user-related portion of Group Policy by selecting the Administrative Templates menu option, then Windows Components, and then Internet Explorer:

• Disable Changing Connection Settings

  Users will be prevented from changing how Internet Explorer connects to the Internet.

• Disable Changing Proxy Settings

  Users will not be able to change the proxy server settings used by Internet Explorer.

• Disable Changing Profile Assistant Settings

  Users will not be able to change the Profile Assistant settings.

• Do Not Allow AutoComplete To Save Passwords

  Users will not be given the option to have Web site passwords saved by Internet Explorer.

• Internet Control Panel/Disable The Security Page

  The Security page in Internet Options will not appear. Thus, users will not be able to change the security zones on the computer.

• Internet Control Panel/Disable The Advanced Page

  The Advanced page in Internet Options will not appear. Thus, users will not be able to change the advanced security settings on the computer.

You also can make four Group Policy settings in the computer-related Internet Explorer security options. These settings will apply to all users of the computer.

• Security Zones: Use Only Machine Settings

  Internet Explorer will use only the security zones configured on the computer, rather than configuring them on a per-user basis according to the user-related Group Policy settings.

• Security Zones: Do Not Allow Users To Change Policies

  Users will be prevented from making changes to the security zones on the computer.

• Security Zones: Do Not Allow Users To Add/Delete Sites

  Users will not be able to add or remove sites from the Trusted Sites or Restricted Sites zones.

• Disable Automatic Install Of Internet Explorer Components

  Internet Explorer will not automatically download and install ActiveX components when a user visits a Web site where these components are used.