Internet Explorer Security Options

Internet Explorer security zones allow you to specify security options for different "zones" of web content. A zone is a collection of Web sites that you trust at the same level, to which you should assign the appropriate security options.

You can adjust the Internet Explorer default settings to best match the security features of your system. For users with a secure intranet, for example, the Local Intranet zone (once configured to match the firewall) can usually have its security setting adjusted to Low or a suitable Custom setting.

This topic describes the meaning of Internet Explorer security options in detail to help you make the right security decisions for each option in each zone. All security options apply to the Internet Explorer browser; they are not system-wide. Internet Explorer programs may or may not respect these options.

To set corporate security options, you must modify the settings by using the IEAK. The end-user can view security options in the browser by clicking the View menu, clicking Internet Options, clicking Custom, and then clicking Settings.

ActiveX Controls and plugins

These options control how ActiveX controls and plugins are download, run, and are scripted. For ActiveX control downloads, if a control is downloaded from a different site than the page it is used on, the more restrictive of the two site's zone settings are used. For example, if a user is accessing a Web page within a zone that is set to allow (Enable) a download, but the code is downloaded from another zone that is set to prompt a user first, then the prompt setting is used.

Script ActiveX controls marked safe for scripting
This option determines whether an ActiveX control marked safe for scripting can interact with a script. Note that safe-for-initialization controls loaded with PARAM tags are unaffected by this option. This option is ignored when Initialize and script ActiveX controls that are not marked safe is set to Enable because the setting bypasses all object safety. You cannot script unsafe controls while blocking the scripting of the safe ones.

Run ActiveX controls and plugins
This option determines whether ActiveX controls and plugins can be run on pages from the specified zone.

Download signed ActiveX controls
This option allows users to download signed ActiveX controls from the zone of the page that includes the control. Clicking Enable will give the user the ability to silently download any signed controls. Clicking Prompt will give the user a warning before downloading controls signed by publishers that aren't trusted, but will still silently download trusted publisher-signed code. Clicking Deny will prevent the user from downloading any signed controls.

Download unsigned ActiveX controls
This option allows users to download unsigned ActiveX controls from the zone. Such code is potentially dangerous, especially when coming from an untrusted zone.

Initialize and script ActiveX controls not marked as safe
This option determines whether ActiveX control object safety is enforced for pages in the zone. Object safety should be enforced unless all ActiveX controls and scripts that might interact with pages in the zone can be trusted. The settings are as follows:

Java

Java permissions
These options control the downloading and running of Java within the zone. For Java downloads, if a control is downloaded from a different site than the page it is used on, the more restrictive of the two site's zone settings are used. For example, if a user is accessing a Web page within a zone that is set to allow a download, but the code is downloaded from another zone that is set to prompt a user first, then the prompt setting is used.

Each option setting determines the following:

The five options are:

Scripting

Active scripting
This option determines whether script code on pages of the zone is run.

Scripting of Java applets
This option determines whether the applets are exposed to scripts within the zone.

Downloads

File Download
This option controls whether file downloads are permitted from the zone. Note that this option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.

Font download
This option determines whether pages of the zone may download HTML fonts.

User Authentication

Logon
Http authentication honors the zone security policy for Logon credentials, which may have one of four values:

Miscellaneous

Submit non-encrypted form data
This option determines whether HTML forms on pages of the zone, or submitted to servers in the zone, may submit forms. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.

Launching applications and files from an IFrame
This option controls whether launching of applications and files is permitted from the zone in the case of an IFRAME tag referencing a directory from within HTML.

Installation of desktop items
This option controls whether users can install desktop items from the zone.

Drag and drop or copy and paste files
This option controls whether users can drag or copy files from a source within the zone.

Software Channel Permissions

Low safety allows:
Medium safety allows:
High safety allows:

Security options not exposed in the client user interface

The following options are fixed and cannot be set by the user. High, Medium, and Low zone settings do not change the behavior of these options.

Launch From Webview
This option controls launching of applications and files from a folder viewed as a Web page. The zone of the customizing Web content, not the zone of the folder itself, determines the setting:
My computer Local intranet Trusted sites Internet Restricted sites
Enable Enable Enable Prompt Prompt