It's understandable that Bill Gates would want to show IE in a good light, but there's a comic irony
in his statement: At the moment that Bill Gates was speaking those words, while the latest version of Internet Explorer
was pestering people about downloading "untrusted" files, it was also being
attacked by mere webpages, through
bugs present in the latest update of WinXP SP2 that allow code to be run on a client computer by
just visiting a webpage using IE. Those "hundreds of very smart people" comprising
the "quickest response team", working "constantly" for over two months, had yet to come up with a solution to make it
safe for WinXP users to just open a webpage in Internet Explorer. In fact, according to reports, that "quickest response team"
left
Internet Explorer vulnerable online for a total of 284 days in 2006!
So what's the solution?
Would Bill Gates have us require that all webpages also include a Microsoft digital signature
before they can be viewed? Then again, another bug that turned up just before the SP2 release
allowed a computer to be attacked by merely viewing a JPG file. So maybe all image files should have Microsoft digital signatures, too? Or should
we perhaps just let Microsoft run the Internet, in the interest of safety? Ahh, funny you should mention that...
The Commercial Angle
There is also another important point to be noted here in regard to digital
signature warnings: Only corporate, commercial products are likely
to be digitally signed. There is no reason for most smaller companies to purchase a signing certificate. (And smaller companies cannot
purchase the new green-address-bar certificates. Those are restricted to corporations.) And certainly
there is no reason for individuals to need digital signatures
for their own personal files. So, in effect, the increased "security" nags could be seen as a move on the part of Microsoft
to commercialize the Internet for their own purposes. Clearly, inexperienced users of IE on WinXP SP2 who
have seen a few of those "Security Warning" popups are likely to get the impression that only corporate, commercial products,
from companies cooperating with Microsoft, are safe to download and open.
Coincident with the increased security warnings are efforts by Microsoft to
rein in potential online shoppers through the
Windows Marketplace
and the "Windows Live" online services. (The "Live" initiative is a repackaging of their infamous Passport
tracking ID, along with Hotmail and various half-baked "web services".)
So Microsoft is presenting "Security Warning" popups in response to online downloads, while
they open their own private shopping mall. This problem gets even worse in IE7. Now, when visiting Microsoft and some other corporate websites with IE7, the
address bar will turn green
(as explained above in the Introduction section) to indicate that you are visiting a "legitimate and safe" website.
The fact is that Microsoft is only one of
many corporate entities who would like to "de-democratize" the Internet and reduce it to merely
a giant, corporate shopping mall free of private websites and free of "mom-and-pop" competition. But Microsoft is in a uniquely powerful position due to their PC
operating system monopoly.
The "security" changes in Internet Explorer are in line with Microsoft's move toward recreating Windows PCs as web-service
appliances. (
The Register did an interesting analysis
of this situation as long ago as October 2003). With the apparent goal of cashing in on Internet commerce,
Microsoft has been increasingly forceful with their pretense that Internet Explorer, and now Media Player,
are somehow integral parts of the Windows operating system. That logic provides a back door means
to present Internet access, browsing and music downloading as built-in functions of the Windows operating system, and therefore
as part of Microsoft's purview. The fact that the European Union is requiring Microsoft to stop force-bundling
Media Player with Windows does not seem to have put a damper on Microsoft's plans. (Bill Gates, after all,
has claimed that Microsoft virtually invented the PC. And given past Micosoft exploits such as their "Passport" project,
it would appear that Mr. Gates honestly believes he is justified in trying to control, and collect tariffs on, Internet commerce.)
The latest step in this attempt to extend Windows onto the Internet involves a dual repositioning of
Internet Explorer: While (1) the new security warnings extend the role of IE to that of firewall and
system security monitor, (2) Microsoft is simultaneously ending development of Internet Explorer as
a browser per se. The name "Internet Explorer 7" is misleading. IE7 is not a
browser update. It is only a WinXP SP2 patch. IE7 will not be available to install on any other Windows
versions, much less on any other operating system. (Even on Windows XP SP2, IE7 will only install if
Microsoft's WGA spyware
has been installed first.)
In other words, Microsoft is dropping Internet Explorer as an actual software product, blending browser functionality fully into Windows, in order
to force their customers to accept Internet browsing as a Windows function in future versions of the operating system.
This leaves a somewhat odd situation for users of any Windows version other than XP with Service Pack 2 installed.
Internet Explorer
is already dramatically outdated, lacking support for current Web standards such as Cascading Style Sheets. The last update
of IE was in 2001, and that was a minor update. When Windows 2000 support ends (planned for 2010), Win2000 users
will have an Internet Explorer browser
installed that has not been updated for 9 years! And actually, even Windows XP users are being left
behind by Microsoft's decision to further implant Internet Explorer into the Windows operationg system:
Even the meager updates to webpage rendering that Microsoft incorporated
into IE7 have little relevance to the Internet at large, since IE7 can only run on Windows XP SP2. IE6 will have
to remain the last widely supported version of IE for webmasters. (After all, it's hardly realistic to put a note on webpages
saying, "Your browser is too old for this website. Please buy a new Windows PC and then come back.")
For further discussion of the commercial implications involved with the changes in WinXP SP2
see the
Overview - Windows and the Web... topic below.
What to do about the download warnings?
So what should you do about Internet Explorer download warnings?
... Put on your crash helmet, buckle your seat belt, and hope for the best!
Seriously, though....
If you are concerned about online safety but also do not want
to be wrestling with an onslaught of specious restrictions and warnings, the easiest solution is to simply
stop using Internet Explorer online. IE has a long history of security problems. In fact, the
US-CERT (US Computer Emergency
Readiness Team)
has warned
about the risks of using Internet Explorer. The Firefox/Mozilla and Opera browsers both have a far better security
record than Internet Explorer,
and both also have numerous user-friendly functions that have not yet made it into IE. (For example, the ability to block
3rd-party ads and web bugs, and the ability to control information sent to the website being visited.)
The Firefox browser is fast and stable, with clear and simple settings. It can be
downloaded free from
www.mozilla.org.
The download is less than 5 MB. (Note that this link goes to the Firefox 1.5 download. There are problems
with Firefox 2. See the
Firefox Tips page for further explanation about that.) Firefox can also import your IE
Favorites links. (File -- Import menu.)
The Opera browser is also very good and although it used to be adware,
Opera is now free. Opera takes more getting used to than Firefox does, and it does not come
with any help file. On the other hand, Firefox only comes with the most minimal help file,
and Opera has more settings options that are easier to access. Opera can be downloaded from
www.opera.com.
If you still want to use Internet Explorer, or if you have no choice, see the next
topic (Fixing XP SP2 "security improvement" Nags) for options. Also see
the IE-MD page
and/or
the SurfSet page.
The IE-MD is a script-based utility designed to provide access to hidden IE settings that, in many cases,
may be security risks or may block you from controlling IE security settings, home page changes, etc. SurfSet
is a program with similar functionality. It provides access to hidden settings in IE, Firefox and Netscape.
But don't expect to actually fix Internet Explorer. IE has literally hundreds of
confusing - and often conflicting - settings. And it has numerous weaknesses that don't exist in other browsers,
such as Browser Helper Objects, ActiveX, Active scripting, etc. It is questionable whether a basic, reasonable level of security and
privacy online are possible at all while using Internet Explorer.
Back to Top
Fixing XP SP2 "security improvement" Nags
There are several Registry settings that can be changed to reduce the annoying nags and restrictions
instituted with Windows XP SP2. The details of these settings have been collected from various sources on the
Internet. (Microsoft does not seem to have documentation about most of these settings. In classic Microsoft
fashion, they have provided some ability to adjust SP2 changes but have hidden that ability from
their customers.)
A script is available here to make these settings easier to change. The script comes
with an information file that explains the details. (You just double-click the script
file and answer Yes/No questions about which warnings you want to turn off.) The script provides 6 options for
adjusting SP2 settings:
1) Option to turn off the IE information bar prompt.
2) Option to turn off the anti-virus monitoring and nag warnings about out-of-date AV definitions.
3) Option to turn off the Windows firewall and firewall nag messages.
4) Option to turn off the automatic update nags in the Taskbar.
5) Option to turn off Security Center.
6) Option to stop digital signature nags when downloading and running files.
7) Option to block the forced install of Internet Explorer 7.
Download nagfixer.zip (5 KB)
An alternative to the script is
SurfSet, which has been
updated to provide access to hidden settings in several browsers. Among other options,
SurfSet can change the settings for 1) the IE information bar and 6) download nags.
Back to Top
Note to Scripters: Adjusting Security Settings
Among the security changes that Microsoft has made in WinXP SP2 is a
decision to make IE Local Zone security very high - higher, in fact, than security in the
Internet Zone! (If you are not familiar with IE security zones see the "IE/OE Security Model" section below.)
Many people may not notice the Local Zone security change but
it may affect scripters and will affect some of the VBScript samples available from this website.
Microsoft is calling this new security arrangement "Local Machine Lockdown". The default behavior in the past
has been that you would receive a warning prompt when running "unsafe" script in the Local Zone.
With "Local Machine Lockdown" there is no warning. It simply disables active scripting
functionality for files on your computer. It means that any webpage file on your computer that includes active scripting
will not work properly because active scripting and ActiveX (as well as MSJava) will be blocked and
you will not be given a choice in the matter. The setting to control this behavior is hidden.
The one place where it is reasonably safe to use
Internet Explorer - offline - will now be the only place where IE has high security!
"Local Machine Lockdown" will affect VBS webpage utilities such as the IE-MD, the MSI utility,
the Startup Manager utility, etc. You should be able to bypass this problem by renaming the
utility files from HTML to HTA, if you want to use that approach. For further explanation and more options,
read the next section.
Help for the WinXP SP2 IE Problems
This section is mainly for people, especially scripters, who want to use IE in the Local
Zone (on their PC) without restriction.
When Microsoft came out with Windows XP SP2 they added the new "Local Machine Lockdown" (LML)
for Internet Explorer Local Zone security. Microsoft presented LML as an extra security feature with its own Registry setting.
But their official description was not entirely accurate. There are specific LML Registry settings, which can be used to
apply or remove LML restrictions on specific programs, but the LML settings are really a flag rather than a setting.
They dictate how all other security settings are read and interpreted - whether your security choices for the Local Zone
are respected or secretly overridden by other, hidden settings. Interestingly, Microsoft has actually built in
these hidden settings since XP SP2
for all zones. Although the new function is called "Local Machine
Lockdown", it is really "Total User Choice Override". However, as of this writing the lockdown "feature" seems to
only be applied in the Local Zone.
The Local Machine Lockdown scenario is so ridiculous and complex
that it is difficult to even describe. But for the sake of anyone who wants to
really control
Internet Explorer security, here goes....
Background:
Before Windows XP SP2, IE security settings were already absurdly complex.
There are dozens of settings - which have changed somewhat with each IE release - that apply
to 5 different security "zones". The Local Zone is your PC. The Internet Zone is most other
webpages. Then there are 3 optional zones that can be applied to specific domains. All of these
zone security settings are stored in the Registry, under both HKLM and HKCU keys, in the subkey
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
There are 5 subkeys there, named 0, 1, 2, 3 and 4. According
to
Microsoft's documentation,
with IE6 each of these subkeys contain some 57 settings for the given security zone.
To complicate matters,
the Local Zone (zone 0) is normally hidden on the Internet Options Security tab. So the average person has
no way to actually see or change Local Zone settings. To complicate matters further, there is also
an optional hidden setting that will cause all settings selected by a particular user (stored in the Registry under
HKCU) to be overriden by
an identical set of settings which apply to all users (stored in the Registry under HKLM).
So Internet Explorer security settings are a convoluted, confusing mess that is partially
hidden.
But that was just before Windows XP SP2.
After SP2 the confusion and the mess have doubled.
Microsoft created an entire second set of security zone settings in the Registry. This new set is stored here:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
So now, for any given security setting in IE, such as whether to allow scripting, there are
5 possible zones stored in 4 complete sets of Registry keys. (HKCU normal, HKCU lockdown, HKLM normal
and HKLM lockdown.) That means there are 57 settings
times 5 zones
times 4 sets. That
is,
there are some 1140 Registry values that control Internet Explorer security settings.
Or rather, there are some 1140 Registry values which may or may not be reflected in the Internet Options Security tab. Some security settings are
also spread around, willy-nilly, on the Advanced tab and Privacy tab.
When LML is in effect, all security settings for the Local Zone are read from the
secondary
Lockdown_Zones keys. You can fiddle with Local Zone settings " 'til the cows come home ",
(provided that you even know how to make those settings visible) and it will have no effect.
Also, the way that Microsoft designed the
Lockdown_Zones Registry keys provides an
option in the future to override all user-selected IE security settings for all zones, not just the Local Zone.
The
Lockdown_Zones Registry
keys for all zones are already present.
Given the redundant, misleading and generally confusing nature of the entire
Local Machine Lockdown boondoggle, it seems best not to think in terms of LML, but rather to
just think of all IE security settings as requiring 4 Registry values per setting, per zone. In other words, if
you want to change how IE runs locally, forget LML and just set all four versions of the setting,
under both
Zones and
Lockdown_Zones in both HKLM and HKCU.
A script to toggle security in Local Zone
A script is being provided here that deals with the mess described above,
presenting a simple option to toggle between restricted security and normal security for
IE in the Local Zone. The script also provides example code that shows how to deal with
these settings under Local Machine Lockdown. In addition, the script provides an option
to make Local Zone settings visible on the Internet Options Security tab. Unfortunately, it
seems to be impossible to make the
Lockdown_Zones settings visible. Increasingly, only
people intimately familiar with the IE Registry settings can know whether they are really
controlling Internet Explorer security.
Download IE Local Zone security script
Resources
You can download the SP2 "white papers" from Microsoft
here.
An article about the SP2 changes is
here.
Back to Top
UserAgent Settings - A Bit of Useless Fun
If you have script enabled in Internet Explorer, your userAgent should be displayed here:
The userAgent or "userAgent string" is a string of text that the browser sends
to the server when requesting a webpage. The UA string includes the browser model and version.
It can sometimes also include other information. For the most part the UA string is harmless.
It just helps the server to give you the right webpage. But you can change the UA string if you
want to pretend to be using another browser for some reason. In the case of Internet Explorer,
you might also want to just clean up the UA string for the sake of privacy and security. Microsoft,
and some other companies, have got carried away adding information to the userAgent string and
you may not want to share some of that information. (Note, though, that if you pretend to be
using, say, Opera when you are really using IE then many websites, including this one, will
not function properly.)
The typical UA string should read something like these
two examples, for IE5 on Windows 2000 and Firefox 1 on Windows XP:
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Mozilla/5.0 (Windows; U; Windows NT 5.1) Gecko/20050915 Firefox/1.0.7
Those UA strings are pretty much self-explanatory. Now look at these two UA string:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; FunWebProducts; (R1 1.5); .NET CLR 1.1.4322)
The first UA string above says that the client is using IE6 on Windows XP ("NT 5.1"), with Service Pack 2 ("SV1").
They are using IE6 with the Maxthon IE skin program, MS Infopath, and they also have the .Net v. 1.1 and v. 2 runtimes
installed.
The second UA string is someone using Windows XP SP2, with IE6, probably running through AOL.
They have the .Net v. 1.1 runtime installed and have picked up some other hangers-on:
something named "FunWebProducts" (probably some sort of adware) and something mysteriously named "R1".
Changing the IE userAgent string:
The first part of the UA string - "Mozilla 4/0" - is used for all versions of IE and for Netscape 4. Mozilla browsers use
"Mozilla 5/0". Opera just uses "Opera". There seems to be no way to change "Mozilla 4/0" in the IE UA string.
The rest of the IE UA string is in parentheses, in the following format:
(compatible; Version; Pre-platform info ; Platform (OS); Post-platform info)
Example:
(compatible; MSIE 6.0; Harry's Adware; Windows NT 5.1; Maxthon)
Those parts of the UA string correspond to Registry settings. These
settings are under:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\
For thoroughness, the values should be set (or removed) in both:
HKEY_LOCAL_MACHINE
and
HKEY_CURRENT_USER
to make sure that a different setting is not overriding the ones you have entered.
In Windows XP, some sources also recommend settings under the following keys,
although it appears to be specific to 64-bit Windows and is not mentioned in the official Microsoft documentation that comes with
their official "IE User Agent String Utility". (The official IE UA String Utility is a UA string adjuster,
which comes packaged in a very official MSI installer, but all it will do is to toggle
the version of IE in Windows XP between IE6 and IE7 for testing purposes.)
HKEY_LOCAL_MACHINE,
SOFTWARE\Wow6432Node\Microsoft\
Windows\CurrentVersion\Internet Settings\
The following Registry values demonstrate how to create this UA string:
Mozilla/4.0 (:-); MSIE 18.0; Finally No Bugs; Okey Dokey; Windows 2029; What a treat!)
Under the key:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\
as detailed above, should be
the following keys and values:
Key:
5.0\User Agent
Value:
"Version" Data:
"MSIE 18.0"
Value:
"Platform" Data:
"Windows 2029"
Value:
"Compatible" Data:
":-)"
Key:
User Agent\Pre Platform
Value:
"Okey Dokey" Data:
""
Value:
"Finally No Bugs" Data:
""
Key:
User Agent\Post Platform
Value:
"What a treat!" Data:
""
Anyone familiar with the Registry will be able to figure out how to clean or edit
their IE UA string from that information. To test your UA string changes, save the following
text as a text file, name it with an "html" extension, and open it in IE:
<HTML> <HEAD> </HEAD> <BODY>
<SCRIPT LANGUAGE="VBScript">
document.write(navigator.userAgent)
</SCRIPT>
</BODY> </HTML>
Back to Top
Background - A Brief History of Internet Explorer
Interactive webpages
As the Internet was becoming popular there was an increasing desire for the ability to have
interactive webpages. HTML provides a way to publish graphical and written material on
a webpage but it does not allow the viewer to interact. Commercial websites, especially,
wanted to be able to provide interactive services from webpages such as, for example,
providing a mortgage calculator on a banking website. There are basically two
ways to do that: server-side and client-side. Server-side means that you click a button on the webpage
and a program on the web server calculates your mortgage payments. Client-side means that you
click the button and script code in the webpage executes on your computer to calculate your
mortgage payments. Client-side functionality is easier and requires less processing power
on the web server, so it became very popular.
The development of client-side code
The Netscape browser provided for a certain amount of client-side code in webpages by
using javascript. ("Script" here refers to programming code that is written as plain text
and can be included in webpages, along with HTML.) That approach provided the ability to
make webpages that could do things like compute mortgage interest.
When Microsoft introduced the Internet Explorer browser to compete with Netscape they
took the approach of client-side functionality further. (At that time people were not very worried about security
on the Internet.) Microsoft expanded the abilities of script in their browser to include
"active scripting" and created components, or small programs, referred to as "ActiveX controls".
An ActiveX control can be a visible item such as a stock ticker or rotating picture frame, or it can also be
a non-visible item such as a database component. Active scripting provided for using ActiveX controls
"embedded" in webpages. If you went to a website that had an ActiveX stock ticker
then Internet Explorer would silently download the program, the ActiveX control, and run it
to show you the stock ticker. This made it appear that the stock ticker was on the website but it was actually
running on your computer.
The success of Internet Explorer
Microsoft's Internet Explorer gradually became a very flexible browser with a great deal
of functionality. Complex, webpage-based programs could easily be created to run in the Internet Explorer
window through the use of scripting and ActiveX. Web site designers liked the flexibility and power of Internet Explorer, and many
began to depend on it. Over time, an increasing number of websites required Internet Explorer and
Netscape began to lose ground.
At the same time Microsoft was integrating IE functionality into the Windows
Desktop with things like "Web View" folders. That strategy led to great success in capturing
the browser market but it had ominous implications for the future.
Long term results
Now, fast-forward to the present: Internet Explorer is by far the most-used browser but over
time Internet security has become an increasing problem and IE has not kept up. IE has become
an increasing security risk due to the dual design problem of tying IE into the Windows operating system
while at the same time enabling numerous risky functions such as "active scripting",
"ActiveX", Browser Helper Objects, HTA(HTML applications), etc. The integration and clever functionality that makes
IE so useful for running browser-based programs on corporate intranets have made it a security disaster
on the Internet, as one vulnerability after another has been found and exploited by virus writers, spammers,
etc.
One well known problem, known as "Download.ject" or "Scob", is a clear example
of the problems with the design of Internet Explorer: Download.ject involved a criminal
organization installing keystroke loggers to steal credit card passwords. Over 100 popular websites
were compromised with outside code that caused visitors using IE to download and install
a keystroke logger program from a website in Russia. The keystroke logger could then steal
credit card numbers and passwords as they were typed, before being encrypted for a secure
transaction. With Download.ject, as with many other IE vulnerabilities, the solution was
to turn off scripting, but IE makes that very difficult to do. Even IE "High" security level does
not disable scripting. There is no high security available in IE unless you carefully set all IE
security options by hand with the "Custom Level" option.
The latest wrinkle: WinXP SP2
Microsoft has been understandably reluctant to make substantial security improvements to Internet
Explorer: They have a lot invested in their ActiveX and making their browser safer by increasing
ActiveX security would disable the websites where ActiveX is still used. Also, while script is implicated in the vast
majority of browser vulnerabilities, script is also used quite a bit by commercial websites. And script
is critical to the increased interactivity (and increased security problems) of the "Web 2.0" fad.
Microsoft is so
reluctant to limit scripting and ActiveX in IE online that they made a truly bizarre change in WinXP SP2:
On the one hand, they
still make it very difficult to disable active scripting and ActiveX on the Internet (despite the fact that many people may not
need that functionality). And they still provide no way to disable HTA, a zero-security type of webpage that most people
have no use for. On the other hand, IE after SP2 has active scripting and ActiveX disabled
for local webpage files. That is, ActiveX can run from any website that you visit but it cannot run
from a webpage on your own computer - and the setting to control that behavior has been hidden.
This is like a company that makes a toaster prone to catching on fire but is
hesitant to redesign their successful product, so they redesign the toaster's plug instead.
A safer plug might be a good idea to prevent electrocution, but that wasn't the part of
the product that needed fixing.
So the Internet Explorer problems continue unabated. As of
February 2008,
ActiveX problems are as bad as ever.
Not learning that lesson, companies such
as
Yahoo,
MySpace and Facebook
have created custom ActiveX controls that
are currently being exploited.
Back to Top
The IE/OE Security Model
Internet Explorer and Outlook Express security run parallel
because the window in which HTML email is viewed is actually an IE window.
IE uses a multi-level security model that theoretically provides for great flexibility - allowing IE
to restrict risky behavior in "untrusted" environments while still being a very adaptable tool
in secure environments. That is, IE can be set to limit what a webpage can do on the Internet
while allowing script to create webpage-based programs to be used on the local computer
or within corporate intranets.
Security Levels
The levels of security in Internet Explorer are
5 "zones": Restricted, Internet,
Trusted, Intranet and Local.
Files on your own computer are in the Local zone. If you download
a webpage and open it on your Desktop that is Local Zone security. Everything outside of your
computer is in the Internet zone unless specifically set to be otherwise. You can add specific websites
to the Trusted zone or the Restricted zone, for instance.
When you open the IE settings from the menu Tools -- Internet Options there is a Security
tab for setting IE security. There you can set security options such as scripting and ActiveX permissions
for each zone.
However,
if you look at these settings it will be clear that Microsoft never
intended for people to be able to control their own IE settings.
The only way to actually choose secure settings is to
adjust the security settings individually by clicking the "Custom" button, because the so-called "High"
level of security is useless: It leaves scripting and ActiveX enabled while disabling file downloads!
But the settings in the Custom window are very complex and confusing,
with no explanation whatsoever provided in the IE help.
There are over 50 settings
for each zone, totalling over 250 settings on the Security tab alone, and many of the descriptions
for these settings are quite obscure, such as "Navigate subframes across different domains" or
"Software channel permissions".
To compound the confusion,
the Local Zone is hidden by default. Any brave soul who endeavors to sort out his or her own security
settings needs to research even further in order to adjust those settings for files on their own computer.
And the madness does not stop there. There are several exceptions to this already convoluted system
that are largely undocumented, unknown and unavailable to the average user: There are settings to hide access to settings.
There is the undocumented "SafeSites" setting (which seems to be used only by Microsoft and a few virus authors)
that creates exemptions from IE security for specific
domains. There is even a setting that will cause all of your settings selections to be overridden
by settings in another section of the Windows Registry. (The setting
HKLM\SOFTWARE\Policies\Microsoft
\Windows\CurrentVersion\Internet Settings\Security_HKLM_only set to 1
will cause all personal settings to be ignored. The setting was designed so that corporate, network administrators could
override employee changes. But on home or small office PCs it also allows spyware or disreputable ISPs (like AOL) to override
your security settings.)
And the madness does not even stop
there. As described
above, in
Windows XP Service Pack 2, the hundreds of security settings have been doubled, now stored in the Registry as
four redundant sets of Registry values, totalling close to 1,200 settings.
....And that's just the security settings. Then there are settings (inaccessible except through the Windows Registry)
that allow Browser Helper Object and Browser Extension plugins to attach themselves to IE, monitor
your web browsing activity, and even edit the pages that you see.
The fact that this webpage
you are currently reading is necessary at all is a testament to the security
mess that is Internet Explorer. Given all of that, if you still want to use IE and
want to attempt managing the IE security calamity, the
IE-MD Utility may be helpful.
The IE-MD provides access to various settings that Microsoft has
kept hidden from Internet Explorer users.
But remember that having access to these settings is only half of the
problem. If you cannot
quickly and easily toggle between medium and extra-high
security for different websites, then you will probably find that adequate security in IE
is simply not workable.
Improving how IE security levels work
Tweak Revisited has the option to redefine IE High security
as a setting that is actually useful, though Tweak Revisited can only be used on Windows 95/98/ME. (See the Download Tips page for a
free Tweak Revisited activation code.)
The following explains how to customize IE security levels, but it will only be useful
to people who are familiar with the Windows Registry:
If you are accustomed to working with the Windows Registry you can change the IE security levels
yourself. The way it works is that when you click, for instance, the "High" security level in the
IE security settings, IE looks up what that means and sets the 30-odd security settings accordingly.
The way it finds out what "High" security is is by looking at the key:
Software\Microsoft\Windows\CurrentVersion\
Internet Settings\TemplatePolicies\High\
That key can be in HKCU or HKLM, depending upon the IE version. IE then copies
the values from that key into:
HKCU\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3\
(Note: The "3" key is for the Internet Zone. The "0" key is Local Zone, "4" is Restricted, etc.)
So in other words, the security levels, such as Low, Medium and High, each represent
a complete set of security values. When you select, for instance, Medium IE sets all of the 30-odd settings in
the given zone according to the Medium security settings found in the TemplatePolicies key.
The easiest way to change how the "high" security setting works is to first set Internet Zone security to
your liking in the IE security settings window (Custom level). Then open the .....Zones\3\ key and copy
the values there. Each setting is represented by a number and most have data of 0 (enabled),
1 (prompt), or 3 (disabled). For example, "Download signed ActiveX controls" is represented by
the value 1001. If you set ....Zones\3\1001 to 3 (and also set "CurrentLevel" to 0 for "custom") then
you will find that "Download signed ActiveX controls" has been disabled in the IE Internet Zone security settings.
Next, having copied the values in the ...Zones\3\ key, compare them to the values in the
.....TemplatePolicies\High\ key. Change the values in .....TemplatePolicies\High\ that differ from
the values in ....Zones\3\. The result will be that you can now simply select High security
in the IE settings and it will actually be high security...It will be the custom level that you selected.
(Note: Don't forget to export the newly-adjusted TemplatePolicies key to a .REG file,
to make sure that you won't have to perform that tedious job again.)
Note for Windows XP SP2 and Later:
Anyone customizing their IE security Registry settings might want to also read the
above description
of how Local Machine Lockdown works and edit the "Lockdown_Zones" Registry keys in the same way that
the "Zones" Registry keys are edited.
Back to Top
Windows Security in General
This section is just meant to provide a few simple tips for people who
may be confused about Windows security in general, and WinXP SP2 security
in particular.
There are numerous potential security problems when using Windows online. For most
people it is not realistic to attempt fixing all of these problems because the settings
involved are too complex and poorly documented. And Windows itself will not cooperate
in many cases.
Windows 95/98/ME vs Windows NT4/2000/XP
The security issues are somewhat different for "Win9x"
(Windows 95, 98 and ME) as opposed to "WinNT" (Windows NT4, NT5.0 (2000) and NT5.1 (XP)).
Win9x is easier to protect in the sense that it is a simpler system, more under
the control of the user. WinNT is a multi-user system designed for use as a corporate
workstation. It has a number of potentially vulnerable network communication functions that run by default
and some cannot be disabled. For WinNT, security means that individual users can
be limited in their access to particular files and programs. In other words, WinNT is designed
to be used by employees on a corporate intranet, where the network is safe and it is
the employees who may not be trusted. With home and small office PCs, on the
other hand, the user(s) of the system is typically not a security risk, but the Internet is.
Since Microsoft designs Windows to satisfy their corporate customers, Windows
has been increasingly saddled with unnecessary security risks - vulnerable functions
that run by default and can't be shut off, such as
Windows Workstation service, and Remote Procedure Call (RPC), that
serve no purpose to most non-corporate Windows users.
Are older Windows versions really less secure?
Microsoft likes to portray older Windows machines as being vulnerable, and
Microsoft spokespeople have said that Win9x(Win95/98/ME) cannot be secured.
Claims to that effect are kept in the news by various press releases. For example, a
BBC article
quoted a member of "Symantec's Threat Team". (That may sound like a new set of Mattel™
action figures, but apparently it's actually a group of adults who have styled themselves
to be some sort of superhero, anti-virus, commando unit.)
In reference to a Symantec "study" that found increasing numbers of Windows computers are being
hijacked online to help spread spam and viruses, the quoted
Symantec employee
says that Win95 and Win98 are the biggest part of the problem:
"The key challenge for Microsoft is not XP users...
it's the Windows 98 and 95 machines. Getting those people to upgrade and improve their security is going to make the difference."
Yet no explanation is given for that statement.
If one looks at the facts it appears that the constant claims of insecurity in
Win9x really amount to a kind of propaganda marketing.
The vast majority
of security problems have actually been found in Windows XP and in later versions of
Internet Explorer (v. 5.01+). Many of those vulnerabilities do not exist in earlier versions
of Windows and Internet Explorer. While a just-patched version of Windows XP,
with the XP firewall running, may be safer in some respects
than Windows 95 or 98 with no extra protection,
that same XP system is no match for Win95/98
where a good firewall program is
installed, and where Internet Explorer is not being used online.
A good example of that fact can be
found
in this article
explaining how Microsoft took 5 months to patch an XP SP2 bug that could leave shared files open
to the whole Internet....while new, unpatched bugs continue to pop up.
Back to Top
Improving Online Security
This webpage makes no attempt to offer comprehensive directions for
improving security in Windows, especially for the bloated and uncooperative
Windows XP, with it's dozens of added "services" running in the background. If you
want to really manage security for WinXP you will need to learn about what each service
is and how the interdependencies of various services are structured.
For a clear, general overview of security issues and vulnerabilities in WinXP, and how they relate to SP2,
see
this article at The Register.
However, there are four simple things that can be done to greatly improve security in any Windows version without requiring
excessive effort or study:
1) Install a firewall. There are firewall links on the
Tweaks and Fixes page.
(The Windows XP "fox-guarding-the-henhouse" Windows Firewall should not be depended on.
And the version prior to SP2 does not even monitor outgoing traffic, such as spyware
and "trojan horse" viruses.)
2) Install a new browser, such as Firefox and stop
using Internet Explorer online. As explained above, Internet Explorer has a long history of vulnerabilities and
design flaws, and IE security has not been appreciably improved in WinXP SP2.
3) Disable script in your browser whenever possible. It may be required for some specific websites,
but for most websites script is an unnecessary security risk.
Some people may think that disabling script is an extreme step, but it will go a very long way toward stopping both security and privacy
problems online. The vast majority of past browser vulnerabilities have been connected to javascript.
4) Avoid using Microsoft software online. In addition to Internet Explorer, that includes Outlook, Outlook Express,
MS Word, etc. (Mozilla.org, the makers
of Firefox, also make
Thunderbird, an email program modelled after
Outlook Express that can import your OE email and settings.)
If you do use Outlook/Outlook Express, do not
leave the Preview window open and avoid viewing HTML email whenever possible.
The Preview window displays HTML email through Internet Explorer, so it is vulnerable
to IE problems. A questionable email in Outlook or OE can be safely opened as text in
the following way:
With the Preview window closed, right-click the email, select Properties -- Details tab -- Message Source.
In addition to that precaution, adjust your security settings to minimize
virus attacks from viewing HTML email: Go to Internet Explorer -- Tools -- Internet options -- Security tab.
In the zones area select "Restricted" and click the Custom button. In the "ActiveX controls and Plugins"
section set all values to disabled. If there are cookie settings, set them to disabled. Set Java to disabled.
Set all Scripting settings to disabled. Finally, click OK. (Do not click Reset.) Next, in Outlook Express -- Tools --
options -- Security tab, in the Security Zones section, select the Restricted zone.
Those changes will provide greater protection with HTML email by
disabling the security risks, such as ActiveX, scripting and Java, that are normally enabled
even in the Restricted zone.
Back to Top
Overview - Windows and the Web, from Active Desktop to Vista
Microsoft
has made some security improvements with WinXP Service Pack 2. The new Outlook Express
ability to control HTML email and the IE popup blocker function, for example, are
"just what the doctor ordered". Those changes are still just a beginning in terms of
catching up to the functionality of Mozilla/Firefox and Opera -
and they're of no help to non-XP users - but they are, at least, improvements.
Yet there is also another, different angle on the changes in XP SP2: that of
Microsoft's long-term marketing strategy.
In brief,
as Microsoft's major software products, such as Office and Windows, have reached maturity
(and beyond) the company can no longer depend on constantly expanding sales. In response to that
Microsoft has been moving toward a business model of "web services" - leasing software-based
services that can be billed over and over again, rather than selling software that can be sold only once.
Microsoft has been trying to market an online
version of Office and the next version of Windows, known as Vista (formerly "Longhorn"), is expected to
further promote web-based software services.
