Internet Explorer Security Setting Explained

Compiled By
InfoComm Security/QA, Computer Centre
National University of Singapore
May, 2005

Internet Explorer uses a security model called Zone Security. By grouping the Internet sites into different security Zones, different restrictions based on Zones (Internet, Local Intranet, Trusted Sites and Restricted sites) are imposed on different web sites you are surfing.  For Internet sites, the security restrictions would be high so that you will have more protection against malicious websites out there. Whereas for Trusted Sites and Local Intranet, you can relax the security restriction so that more functionalities of the websites can be used without compromising security.

There is a default security setting for each of the security Zones, however, to have more control on the security setting while surfing the net, you can customize the security level of each Zone by clicking Tools on IE menu bar, selecting Internet Options..., choosing the Security tab.

The following section describe the detailed explanations of each settings, recommended settings for the Internet Zone is highlighted in bold.

.NET Framework-reliant components: Allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. This option will show up only if you installed .NET Framework.

Run components not signed with Authenticode

• Disable: IE will not execute unsigned managed components.
• Enable: IE will execute unsigned managed components.
• Prompt: IE will prompt the user to determine whether to execute unsigned managed components.

Run components signed with Authenticode

• Disable: IE will not execute signed managed components
• Enable: IE will execute signed managed components.
• Prompt: IE will prompt the user to determine whether to execute signed managed components.

Download signed ActiveX controls: Determines whether users can download signed ActiveX controls from a page in the zone.

• Disable, which prevents all signed controls from downloading.
• Enable, which downloads valid signed controls without user intervention and prompts users to choose whether to download invalid signed controls, that is, controls that have been revoked or have expired.
• Prompt, which prompts users to choose whether to download controls signed by publishers who are not trusted, but still silently downloads code validly signed by trusted publishers.

Download unsigned ActiveX controls: Determines whether users can download unsigned ActiveX controls from the zone.

• Disable, which prevents unsigned controls from running.
• Enable, which runs unsigned controls without user intervention.
• Prompt, which prompts users to choose whether to allow the unsigned control to run.

Initialize and script ActiveX controls not marked as safe: ActiveX controls are classified as either trusted or untrusted. This option controls whether a script can interact with untrusted controls in the zone.

• Disable, which enforces object safety for untrusted data or scripts. ActiveX controls that cannot be trusted are not loaded with parameters or scripted.
• Enable, which overrides object safety. ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes Internet Explorer to initialize and script both untrusted and trusted controls and ignore the Script ActiveX controls marked safe for scripting option.
• Prompt, which attempts to enforce object safety. However, if ActiveX controls cannot be made safe for untrusted data or scripts, users are given the option of allowing the control to be loaded with parameters or to be scripted.

Run ActiveX controls and plug-ins: Determines whether Internet Explorer can run ActiveX controls and plug-ins from pages in the zone.

• Administrator approved, which runs only those controls and plug-ins that you have approved for your users. To select the list of approved controls and plug-ins, use Internet Explorer system policies and restrictions. The Control Management category of policies enables you to manage these controls.
• Disable, which prevents controls and plug-ins from running.
• Enable, which runs controls and plug-ins without user intervention.
• Prompt, which prompts users to choose whether to allow the controls or plug-ins to run.

Script ActiveX controls marked safe for scripting: Determines whether an ActiveX control that is marked safe for scripting can interact with a script. Internet Explorer ignores this option when Initialize and script ActiveX controls that are not marked safe is set to Enable, because that setting bypasses all object safety. You cannot script unsafe controls while blocking the scripting of the safe ones.

• Disable, which prevents script interaction. Disabling ActiveX control scripting will also prevent applets from being scripted.
• Enable, which allows script interaction without user intervention.
• Prompt, which prompts users to choose whether to allow script interaction.

Downloads: Specifies how Internet Explorer handles downloads.

File download: Controls whether file downloads are permitted based on the zone of the Web page that contains the download link, not the zone from which the file originated.

• Disable, which prevents files from being downloaded from the zone.
• Enable, which allows files to be downloaded from the zone.

Font download: Determines whether Web pages within the zone can download HTML fonts.

• Disable, which prevents HTML fonts from being downloaded.
• Enable, which downloads HTML fonts without user intervention.
• Prompt, which prompts users to choose whether to allow the download of HTML fonts.

Java Permissions: Allows you to manage permissions for Java Applets.

• Custom, which allows you to control permissions settings individually.
• Disable Java, which prevents Java applets from running.
• High Safety, which enables Java applets to run from their sandbox.
• Low Safety, which enables Java applets to perform all operations.
• Medium Safety, which enables Java applets to run in their sandbox, plus capabilities like scratch space and user-controlled file I/O.

Access data sources across domains: Specifies whether components that connect to data sources should be allowed to connect to a different server to obtain data.

• Disable, which allows database access only in the same domain as the Web page.
• Enable, which allows database access to any source, including other domains.
• Prompt, which prompts users before allowing database access to any source in other domains.

Allow META REFRESH: Specifies whether Web pages can use meta-refreshes to reload pages after a preset delay.

• Disable, which prevents Web pages from using meta-refreshes.
• Enable, which allows Web pages to use meta-refreshes.

Display mixed content: Specifies whether Web pages can display content from both secure and non-secure servers.

• Disable, which prevents Web pages from displaying non-secure content.
• Enable, which allows Web pages to display both secure and non-secure content.
• Prompt, which prompts users before allowing Web pages to display both secure and non-secure content.

Don't prompt for client certificate selection when no certificates or only one certificate exists: Specifies whether users are prompted to select a certificate when no trusted certificate or only one trusted certificate has been installed on the computer.

• Disable, which allows users to be prompted for a certificate.
• Enable, which prevents users from being prompted for a certificate.

Drag and drop or copy and paste files: Controls whether users can drag and drop, or copy and paste, files from Web pages within the zone.

• Disable, which prevents users from dragging and dropping files, or copying and pasting files, from the zone.
• Enable, which enables users to drag and drop files, or copy and paste files, from the zone without being prompted.
• Prompt, which prompts users to choose whether they can drag and drop files, or copy and paste files, from the zone.

Installation of desktop items: Controls whether users can install desktop items from Web pages within the zone.

• Disable, which prevents users from installing desktop items from this zone.
• Enable, which enables users to install desktop items from this zone without being prompted.
• Prompt, which prompts users to choose whether they can install desktop items from this zone.

Launching programs and files in an IFRAME: Controls whether users can launch programs and files from an IFRAME element (containing a directory or folder reference) in Web pages within the zone.

• Disable, which prevents programs from running and files from downloading from IFRAME elements on Web pages in the zone.
• Enable, which runs programs and downloads files from IFRAME elements on Web pages in the zone without user intervention.
• Prompt, which prompts users to choose whether to run programs and download files from IFRAME elements on Web pages in the zone.

Navigate sub-frames across different domains: Controls whether readers of a Web page can navigate the sub-frame of a window with a top-level document that resides in a different domain.

• Disable, which allows users to navigate only between Web page sub-frames that reside in the same domain.
• Enable, which allows users to navigate between all Web page sub-frames, regardless of the domain, without being prompted.
• Prompt, which prompts users to choose whether to navigate between Web page sub-frames that reside in different domains.

Software channel permissions: controls the permissions given to software distribution channels.

• High safety, which prevents users from being notified about software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.
• Low safety, which notifies users about software updates by e-mail, allows software packages to be automatically downloaded to users' computers, and allows software packages to be automatically installed on users' computers.
• Medium safety, which notifies users about software updates by e-mail and allows software packages to be automatically downloaded to (but not installed on) users' computers. The software packages must be validly signed; users are not prompted about the download.

Submit nonencrypted form data: Determines whether HTML pages in the zone can submit forms to or accept forms from servers in the zone. Forms sent with Secure Sockets Layer (SSL) encryption are always allowed; this setting only affects data that is submitted by non-SSL forms.

• Disable, which prevents information from forms on HTML pages in the zone from being submitted.
• Enable, which allows information from forms on HTML pages in the zone to be submitted without user intervention.
• Prompt, which prompts users to choose whether to allow information from forms on HTML pages in the zone to be submitted.

Userdata persistence: determines whether a Web page can save a small file of personal information associated with the page to the computer.

• Disable, which prevents a Web page from saving a small file of personal information to the computer.
• Enable, which allows a Web page to save a small file of personal information to the computer.

Active scripting: Determines whether Internet Explorer can run script code on Web pages in the zone.

• Disable, which prevents scripts from running.
• Enable, which runs scripts without user intervention.
• Prompt, which prompts users about whether to allow the scripts to run.

Allow paste operations via script: Determines whether a Web page can cut, copy, and paste information from the Clipboard.

• Disable, which prevents a Web page from cutting, copying, and pasting information from the Clipboard.
• Enable, which allows a Web page to cut, copy, and paste information from the Clipboard without user intervention.
• Prompt, which prompts users about whether to allow a Web page to cut, copy, or paste information from the Clipboard.

Scripting of Java applets: Determines whether scripts within the zone can use objects that exist within Java applets. This capability allows a script on a Web page to interact with a Java applet. Internet Explorer ignores this option when Script ActiveX controls marked safe for scripting is set to Disable. In this case, Scripting of Java applets is also disabled.

• Disable, which prevents scripts from accessing applets.
• Enable, which allows scripts to access applets without user intervention.
• Prompt, which prompts users about whether to allow scripts to access applets.

Logon

• Anonymous logon, which disables HTTP authentication and uses the guest account only for authentication using the Common Internet File System (CIFS) protocol.
• Automatic logon only in Intranet zone, which prompts users for user IDs and passwords in other zones. After users are prompted, these values can be used silently for the remainder of the session.
• Automatic logon with current username and password, which attempts logon using Windows NT Challenge Response (also known as NTLM authentication), an authentication protocol between the client computer and the application server. If Windows NT Challenge Response is supported by the server, the logon uses the network user name and password for logon. If the server does not support Windows NT Challenge Response, users are prompted to provide their user names and passwords.
• Prompt for user name and password, which prompts users for user IDs and passwords. After users are prompted, these values can be used silently for the remainder of the session.