With Internet Explorer security zones, you can specify security options for different zones of Web content. A zone is a collection of Web sites that you trust at the same level. You assign a Web site to a specific zone, then you set the appropriate security options for that zone.
You can adjust the Internet Explorer default settings to best match the security features of your system. For a secure intranet, for example, you can usually adjust the security setting to Low or an appropriate custom setting (after the Local intranet zone is configured to match the firewall).
The following paragraphs describe the Internet Explorer security options in detail to help you make the right security decisions for each option in each zone. All security options apply to the Internet Explorer browser; they are not system-wide. Other Internet programs may or may not respect these options. This list contains the Internet Explorer security options for 32-bit versions of the browser, although some options also apply to 16-bit and UNIX versions of the browser.
The following settings or sections do not apply:
To set corporate security options, you must modify the settings by using the IEAK. The user views security options in the browser by clicking the Tools menu, clicking Internet Options, and then clicking the Security tab. To see custom settings, the user selects a security zone, and then clicks Custom Level.
These options control how ActiveX controls and plugins are administrator approved, downloaded, run, and scripted. For more information about managing and approving ActiveX controls, see Managing ActiveX Controls.
When a user downloads an ActiveX control from a site different than the site the control is used on, Internet Explorer uses the more restrictive of the two sites' zone settings. For example, if a user is viewing a Web page within a zone that is set to allow (Enable) a download, but the code is downloaded from another zone that is set to prompt the user first, then the prompt setting is used.
Script ActiveX controls marked safe for scripting
This option determines whether an ActiveX control marked safe for scripting can interact with a script. Note that safe-for-initialization controls loaded with PARAM tags are not affected by this option. This option is ignored when Initialize and script ActiveX controls not marked as safe is set to Enable because the setting bypasses all object safety. You cannot script unsafe controls while blocking the scripting of the safe ones.
Initialize and script ActiveX controls not marked as safe
ActiveX controls are classified as being either safe or unsafe. This option controls whether or not a script is allowed to interact with unsafe controls. Unsafe controls are not meant for use on Internet Web pages, but in some cases may be used with pages that can absolutely be trusted not to use the controls in a malicious way. Object safety should be enforced unless all ActiveX controls and scripts that might interact with pages in this zone can be trusted. The settings are as follows:
Run ActiveX controls and plugins
This option determines whether ActiveX controls and plugins can be run on pages from the specified zone. Disabling this option prevents running any ActiveX controls or plug-ins; therefore, the other ActiveX settings are ignored. Downloading, running, and scripting ActiveX controls are three distinct steps with options that apply to each separate step. Downloading options distinguish between signed and unsigned controls. Scripting options can be set for safe and unsafe controls separately. Whether a control is safe for scripting (or initialization) is determined by the control author and should not be confused with signing; signing and safety are independent. For more information, see the Microsoft Site Builder Network Workshop.
Download signed ActiveX controls
This option allows users to download signed ActiveX controls from pages in this zone. The settings are as follows:
Download unsigned ActiveX controls
This option allows users to download unsigned ActiveX controls from pages in this zone. This kind of code is potentially dangerous, especially when coming from an untrusted zone.
Java permissions
You must have the Microsoft VM installed before the Java options are available.
These options control the downloading and running of Java within the zone. For Java downloads, if a control is downloaded from a different site than the page it is used on, the more restrictive setting of the two sites' zone settings is used. For example, if a user is accessing a Web page within a zone that is set to allow a download, but the code is downloaded from another zone that is set to prompt a user first, then the prompt setting is used.
The settings for most platforms are discussed below. For 16-bit versions of Windows operating systems, the available settings for Java permissions are Enable and Disable.
Each option setting determines the following:
The five options are:
Active scripting
This option determines whether script code on pages in this zone is run.
Scripting of Java applets
This option determines whether scripts within the zone are allowed to use objects that exist within Java applets, allowing the script on the page to interact with the Java applet.
File Download
This option controls whether file downloads are permitted from within this zone. This option is determined by the zone of the page that contains the download link, not the zone from which the file is delivered.
Font download
This option determines whether users can download HTML fonts from pages within this zone.
Logon
HTTP authentication honors the zone security policy for Logon credentials, which may have one of four values:
Access data sources across domains
This option specifies whether components that connect to data sources should be allowed to connect to a different server to obtain data. This applies only to data binding, such as active data objects. The settings are as follows:
Submit non-encrypted form data
This option specifies whether HTML pages in the zone can submit forms to or accept forms from servers in the zone. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting affects only non-SSL form data submission.
Launching applications and files in an IFrame
This option controls whether users can launch applications and files from an IFRAME tag (containing a directory of a folder) in Web pages within this zone.
Installation of desktop items
This option controls whether users can install desktop items from Web pages within this zone.
Drag and drop or copy and paste files
This option controls whether users can drag or copy files from Web pages within this zone.
Software channel permissions
The settings are as follows:
Allow per-session cookies (not stored)
Determines the settings for cookies, text files that store the user's preferences, that are used by a Web site while the user is visiting the site. For example, this setting would determine whether a "virtual shopping cart" could be created while a user is shopping online. Per-session cookies do not remain on the hard disk.
The settings are as follows:
Allow cookies that are stored on your computer
Determines the settings for cookies that are stored on the user's hard drive for future browsing sessions. For example, this setting would determine whether a list of preferences or a user's name was retained for the user's next visit.
The settings are as follows:
The following options are fixed and cannot be set by the user. High, Medium, Medium-low, and Low zone settings do not change the behavior of these options.
Launch From Webview
This option controls whether users can start programs and files from a folder viewed as a Web page. This setting applies to Windows 98 users and to users who upgraded from Internet Explorer 4 and are using the Windows Desktop Update. The zone of the customizing Web content, not the zone of the folder itself, determines the setting:
My Computer | Local Intranet | Trusted Sites | Internet | Restricted Sites |
---|---|---|---|---|
Enable | Enable | Enable | Prompt | Prompt |