Internet Explorer Security Options
Internet Explorer security zones allow you to specify security options for different "zones" of web content. A zone is a collection of Web sites that you trust at the same level, to which you should assign the appropriate security options.
You can adjust the Internet Explorer default settings to best match the security features of your system. For users with a secure intranet, for example, the Local Intranet zone (once configured to match the firewall) can usually have its security setting adjusted to Low or a suitable Custom setting.
This topic describes the meaning of Internet Explorer security options in detail to help you make the right security decisions for each option in each zone. All security options apply to the Internet Explorer browser; they are not system-wide. Internet Explorer programs may or may not respect these options.
To set corporate security options, you must modify the settings by using the IEAK. The end-user can view security options in the browser by clicking the View menu, clicking Internet Options, clicking Custom, and then clicking Settings.
ActiveX Controls and plugins
These options control how ActiveX controls and plugins are download, run, and are scripted. For ActiveX control downloads, if a control is downloaded from a different site than the page it is used on, the more restrictive of the two site's zone settings are used. For example, if a user is accessing a Web page within a zone that is set to allow (Enable) a download, but the code is downloaded from another zone that is set to prompt a user first, then the prompt setting is used.
Script ActiveX controls marked safe for scripting
This option determines whether an ActiveX control marked safe for scripting can interact with a script. Note that safe-for-initialization controls loaded with PARAM tags are unaffected by this option. This option is ignored when Initialize and script ActiveX controls that are not marked safe is set to Enable because the setting bypasses all object safety. You cannot script unsafe controls while blocking the scripting of the safe ones.
Run ActiveX controls and plugins
This option determines whether ActiveX controls and plugins can be run on pages from the specified zone.
Download signed ActiveX controls
This option allows users to download signed ActiveX controls from the zone of the page that includes the control. Clicking Enable will give the user the ability to silently download any signed controls. Clicking Prompt will give the user a warning before downloading controls signed by publishers that aren't trusted, but will still silently download trusted publisher-signed code. Clicking Deny will prevent the user from downloading any signed controls.
Download unsigned ActiveX controls
This option allows users to download unsigned ActiveX controls from the zone. Such code is potentially dangerous, especially when coming from an untrusted zone.
Initialize and script ActiveX controls not marked as safe
This option determines whether ActiveX control object safety is enforced for pages in the zone. Object safety should be enforced unless all ActiveX controls and scripts that might interact with pages in the zone can be trusted. The settings are as follows:
- Enable overrides object safety. ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- Prompt attempts to enforce object safety. But, if the ActiveX control cannot be made safe for untrusted data or scripts, then the user is given the option of allowing the control to be loaded with parameters or scripted.
- Disable enforces object safety for untrusted data or scripts. ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
Java
Java permissions
These options control the downloading and running of Java within the zone. For Java downloads, if a control is downloaded from a different site than the page it is used on, the more restrictive of the two site's zone settings are used. For example, if a user is accessing a Web page within a zone that is set to allow a download, but the code is downloaded from another zone that is set to prompt a user first, then the prompt setting is used.
Each option setting determines the following:
- The maximum permission level silently granted to signed applets downloaded from the zone.
- The permissions granted to unsigned applets downloaded from the zone.
- The permissions granted to scripts on pages in the zone that call into applets.
The five options are:
- Custom controls permissions settings individually. In the Custom Permissions dialog box the Unsigned tab specifies the permissions for both unsigned applets and for scripts calling Java. The Allowed Without Warning tab specifies the threshold up to which applets will be silently granted permissions.
- Low Safety enables applets to perform all operations unhindered.
- Medium Safety enables applets to run in their sandbox, an area in memory outside of which the program cannot make calls, plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file Input/Output.
- High Safety enables applets to run in their sandbox.
- Disable Java does not allow any applets to run.
Scripting
Active scripting
This option determines whether script code on pages of the zone is run.
Scripting of Java applets
This option determines whether the applets are exposed to scripts within the zone.
Downloads
File Download
This option controls whether file downloads are permitted from the zone. Note that this option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
Font download
This option determines whether pages of the zone may download HTML fonts.
User Authentication
Logon
Http authentication honors the zone security policy for Logon credentials, which may have one of four values:
- Anonymous Logon: Disables HTTP authentication; uses guest account only for Common Internet File System (CIFS).
- Prompt for user name and password: Prompts for user ID and password. Once the user is prompted, this value may be used silently for the remainder of the session.
- Automatic logon only in Intranet zone: Prompts for user ID and password in other zones. After the user is prompted, this value can be used silently for the remainder of the session.
- Automatic logon with current username and password: The logon credential may be tried silently by Windows NT Challenge response (NTLM), an authentication protocol between an end user client and application server, before prompting.
Miscellaneous
Submit non-encrypted form data
This option determines whether HTML forms on pages of the zone, or submitted to servers in the zone, may submit forms. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.
Launching applications and files from an IFrame
This option controls whether launching of applications and files is permitted from the zone in the case of an IFRAME tag referencing a directory from within HTML.
Installation of desktop items
This option controls whether users can install desktop items from the zone.
Drag and drop or copy and paste files
This option controls whether users can drag or copy files from a source within the zone.
Software Channel Permissions
Low safety allows:
- E-mail notification
- Auto download
- Auto installation
Medium safety allows:
- E-mail notification
- Auto download
High safety allows:
- None of the software channel distribution features
Security options not exposed in the client user interface
The following options are fixed and cannot be set by the user. High, Medium, and Low zone settings do not change the behavior of these options.
Launch From Webview
This option controls launching of applications and files from a folder viewed as a Web page. The zone of the customizing Web content, not the zone of the folder itself, determines the setting:
| My computer |
Local intranet |
Trusted sites |
Internet |
Restricted sites |
| Enable |
Enable |
Enable |
Prompt |
Prompt |