Back to Top
Explanation of Warnings When Files Are Downloaded and/or Opened
When you download and/or open files from JSWare with Internet Explorer in Windows XP with Service Pack 2 (WinXP SP2) or later,
you may see a popup message entitled "Security Warning". The warning is a result of changes
made in SP2 and has nothing
to do with the files from this website. You can safely ignore the warning. Or see below
for a solution to stop the warnings.
The Full Story
Windows XP SP2 added a number of security changes to
Internet Explorer. One of those changes is to check downloaded files that may be executable,
or that may themselves contain executable files,
to see whether they have a "digital signature". If a valid digital signature is not found
IE will then display a "Security Warning" popup that says, in part, "The publisher could not be verified.
Are you sure that you want to run this software?....You should only run software from publishers
you trust." The warning implies that the downloaded file could be somehow dangerous and
that the source may be somehow not "trustworthy".
What is a digital signature?
A digital signature is an encrypted code that can be used to mark files. It is a license of sorts. Various companies set themselves up
as "certificate authorities" to sell this service. Other companies pay the certificate authority
and in exchange get a "signing key" with which to mark their files. The certificate authority holds
a corresponding key. There are various types of certificates. In this case the certificate
is specific to Internet Explorer.
The way it works is that Ace Software pays Acme Certificates for a key, with
which Ace marks their software files. When you download a file from Ace Software, Internet
Explorer can send the key to Acme Certificates to have it checked for authenticity, to make
sure that the file really came from Ace Software.
Why are digital signatures used?
Digital signatures have mainly been used to verify the source of ActiveX controls
being loaded by webpages. ActiveX controls are actually small programs that can be embedded in webpages and run in Internet Explorer. Microsoft
invented ActiveX controls, in part, as a way to extend the functionality of Internet Explorer. An ActiveX control might do anything
that normal software does. It might be a graphical element like a chart or button. Adobe's Flash is also an ActiveX control when it
runs in IE. A control might also be software that accesses your files. All of these types of controls are actually executable programs,
like EXE files. They are not part of a webpage.
They are run on your PC by code in the webpage.
Since ActiveX controls are usually loaded silently without user interaction, there needs to be some kind of
system in place to prevent malicious websites from loading and running unsafe ActiveX controls. Digital signatures were
implemented for that purpose, as an attempt to make ActiveX controls safe by applying security restrictions with regard to what files a website might run from a webpage.
What is different since Windows XP Service Pack 2?
Starting with Windows XP SP2, Microsoft made a unilateral decision that many files offered for download should be
marked with Microsoft's "Authenticode" digital signature, which can be recognized
by Internet Explorer.
IE has been redesigned
to monitor not just the loading of ActiveX controls, but also voluntary, deliberate actions on your part.
If you download
and open files that do not have a Microsoft-specific digital signature you will be warned that the
file may not be "trustworthy". Depending upon your security settings, Internet Explorer may even block
the download with a message saying, "your current security settings do not allow this file to be downloaded”.
JSWare does not use digital signatures, "Authenticode" or otherwise. We do not agree with the notion that
we should need to have an official Microsoft license in order to offer data files, images, software, etc. to the public. If you download files
such as program installers for WEB-ED Editor, JS PhotoPrep, etc.
you could receive a warning about the safety of those files.
This is not a problem with files from JSWare. It is a problem with
Internet Explorer.
Also note: A digital signature or certificate does not necessarily indicate a
reputable company. It's not impossible to forge digital certificates, and anyone willing to pay
a modest fee can buy one. See
"How VeriSign Could Stop Drive-By Downloads"
for an interesting discussion of how numerous sleazy companies buy digital certificates in order to exploit bugs in Internet
Explorer that allow them to force-install spyware and adware. (In other words, digital certificates have become a way
to
bypass security restrictions in IE.) Other related links of interest:
This article and
this article at The Last Watchdog
discuss increasing problems around certificate forgery and theft.
This one at Ars Technica describes how websites
that use the "TrustE" logo are
more likely to be unsafe. And
this one at Ars Technica
describes Versign's attempt to get in on the "trustworthiness" business with yet another certificate or "trusty logo". In short, there's a lot of money to be made online
IF people trust online companies. And there's a lot of money to be made in the trustworthiness business. Unfortunately, though,
online security is not getting better. Aside from malicious hackers, the big corporations running big online business have become
the biggest threat to security and privacy.
Why is Microsoft trying to oversee downloads?
Why, indeed. It has never been the job of a browser to oversee what you download. How is it that Microsoft
thinks their browser program should second-guess your actions? And they won't even admit that that's what they're doing. One of the
newer warnings says something like, "your current security settings do not allow this file to be downloaded". Yet you
probably don't remember choosing those particular security settings...because you didn't. Microsoft did. (And those settings
are not "your security settings". Just as with the "Internet Options" applet in Control Panel (which actually just goes to the IE program settings), Microsoft
is deliberately conflating Internet Explorer settings with Web-related settings in general. Part of the reason for this webpage is that
many people who are
enduring frustration with blocked downloads do not realize that the problem is actually coming from Internet Explorer.
The Security Angle
Ostensibly these nags and restrictions are in the interest of security, but it's not quite that simple: Internet Explorer has
had a bad reputation in terms of security for many years. Microsoft is
under pressure to do something about it. But they can't do very much. The only way
to make IE even moderately safe to use would be to disable scripting and ActiveX, or at least to make it very easy to only enable
those functions on specific websites where they are absolutely necessary. Script is the weak link in browser security.
It is required for the vast majority of online attacks. Script clearly should be disabled by default.
ActiveX is worse. So why not have a big red button on the browser's toolbar that says, "Enable active content for this page only"?
The problem is that if Microsoft even just disabled ActiveX by default then
many webpages that depend on it would cease to function and Internet Explorer would get an even
worse reputation than it currently has. The elephant in the room here is that people want "Web 2.0" interactive, online services, like Facebook, maps, automated
shopping, dating sites, banking, bill paying, etc. And online companies want to sell those services.
And those interactive services require script, Flash, etc. -- executable code running through the browser. But online activity
can never be safe as long as it requires enabling executable code. No one on any side of the issue wants to admit that.
Since Microsoft cannot really fix their browser, they are instead trying to shift the focus of the security debate. Microsoft
wants to portray the Internet as a fun and colorful shopping mall, where you can safely open your wallet wide as long
as you trust Microsoft to protect you from "baddies" and busy yourself with "consuming services" from "trustworthy"
sources. (That is, large corporations like Microsoft and their partners.)
This confused, mixed-motive security focus at Microsoft - restricting the functionality of Internet Explorer without fixing the
real security problems - has resulted in an increasingly absurd situation:
In a January 2005
interview,
Bill Gates was asked about the fact that people are abandoning Internet Explorer for security reasons. He responded,
"Well, no one invests more in security of their browser than what we do on IE. The key
message we have for
people is they should turn on auto update because if you turn on auto update....you can know that there are
hundreds of very smart people who are constantly improving your browser and making sure that you're safe. And so
with auto update and IE, you're getting the top security team and the quickest response team that there is anywhere."
It's understandable that Bill Gates would want to show IE in a good light, but there's a comic irony
in his statement: At the moment that Bill Gates was speaking those words, while the latest version of Internet Explorer
was pestering people about downloading "untrusted" files, it was also being
attacked by mere webpages, through
bugs present in the then latest Windows update
that allow code to be run on a client computer by
just visiting a webpage using IE. Those "hundreds of very smart people" comprising
the "quickest response team", working "constantly" for over two months, had yet to come up with a solution to make it
safe for people to just open a webpage in Internet Explorer. In fact, according to reports, that "quickest response team"
left
Internet Explorer vulnerable online for a total of 284 days in 2006!
Some known bugs have gone unpatched for over a year by that "quickest response team", such as
this threat in July, 2009.
By 2010, several years after Microsoft started with the nags and restrictions in IE, little was changed. In February 2010,
MIT's Technology Review ran
this article about grave problems with
IE security. This particular case clearly demonstrates the fundamental pathology of Microsoft's approach to security: When Microsoft was informed
of the problems their response was that they
"...could not patch some of the flaws... In some cases, this was because the flaws
were closely related to intended features of the browser."
Microsoft's answer to the problem
typically missed the point. They recommended more restrictions and more of their famously obscure and convoluted Registry settings.
So what's the solution?
Would Bill Gates have us require that all webpages also include a Microsoft digital signature
before they can be viewed? Then again, another bug
allowed a computer to be attacked by merely viewing a JPG file.
And 2010 brought a steep rise in attacks that exploit scripting bugs in Adobe's
PDF files and Flash cartoons.
So maybe all files should have Microsoft digital signatures? Or should
we perhaps just let Microsoft run the Internet, in the interest of safety? Ahh.... funny you should mention that...
The Commercial Angle
There is also another important point to be noted here in regard to digital
signature warnings: As the explanations above make clear, digital signatures and "trustworthiness" are generally a commercial, corporate phenomenon.
Small companies and individuals usually don't mark their files with digital signatures.
So the increased "security" nags dovetail with Microsoft's ambitions
to commercialize the Internet for their own purposes. Clearly, inexperienced users of IE who
have seen a few of those "Security Warning" popups are likely to get the impression that only corporate, commercial products,
from companies cooperating with Microsoft, are safe to download and use.
The fact is that Microsoft is only one of
many corporate entities who would like to "de-democratize" the Internet and reduce it to merely
a giant, corporate shopping mall free of private websites and free of "mom-and-pop" competition. But Microsoft is in a uniquely powerful position due to their PC
operating system monopoly.
The "security" changes in Internet Explorer are in line with Microsoft's move toward recreating Windows PCs as web-service
appliances. (
The Register did an interesting analysis
of this situation as long ago as October 2003). Bill Gates, after all,
has claimed that Microsoft virtually invented the PC. Given past Microsoft exploits such as their "Passport" project,
it would appear that Mr. Gates and Mr. Ballmer honestly believe they are justified in trying to control, and collect tariffs on, Internet commerce.
And the best way to control online business is to control the bottleneck of online experience: the browser.
For further discussion of the commercial implications involved with the changes in WinXP SP2+
see the
Overview - Windows and the Web... topic below.
What to do about the download warnings?
So what should you do about Internet Explorer download warnings?
If you are concerned about online safety but also do not want
to be wrestling with an onslaught of specious restrictions and warnings, the easiest solution is to simply
stop using Internet Explorer online. IE has a long history of security problems. In fact, the
US-CERT (US Computer Emergency
Readiness Team)
has warned
about the risks of using Internet Explorer.
The
Firefox and
Opera browsers
both have a far better security
record than Internet Explorer, and both are far more user-friendly in terms of having clear, accessible
settings. (
Note: The Firefox browser is funded in large part by Google, which has had a corrupting influence.
For example, the cookie settings in Firefox 3 have been hidden behind the nonsensical "custom history settings".
Google does not want people to delete cookies. Period. Nevertheless, Firefox settings are still far more usable
than IE settings. See the
Browser Tips page for further
info. about customizing Firefox and fixing its drawbacks. Also, try the
K-Meleon browser for something that's essentially
Firefox without the commercialization and excessive bloat.)
If you still want to use Internet Explorer, or if you have no choice, see the
topic below,
Fixing Internet Explorer "security improvement" Nags, for options.
Don't expect to actually fix Internet Explorer. IE has literally thousands of
confusing - and often conflicting - settings. And it has numerous weaknesses that don't exist in other browsers,
such as Browser Helper Objects, ActiveX, etc. It is questionable whether a basic, reasonable level of security and
privacy online are possible at all while using Internet Explorer.
Back to Top
The Madness Continues with .Net - ActiveX Redux:
In December 2010 Microsoft warned,
here and
here,
about a serious attack that could take over the PC of anyone using any version of Internet Explorer if they visit an infected website. The problem was said to be
a bug in one of the parts of IE. (mshtml.dll)
What Microsoft did not make entirely clear was that the attack also depends on a bug in another file: mscorie.dll. As explained
here, mscorie.dll is actually part of .Net, not IE. They also did not
mention in the "Workarounds" section of their warning that people with .Net installed might uninstall or disable it to protect themselves from the attack.
That's because Microsoft do not want people to think of .Net as an optional product.
Mscorie.dll is used so that
"Web-based applications can use Microsoft Internet Explorer 5.5 and later to download and run Microsoft .NET Framework assemblies." In other words,
this buggy attack vector is a .Net component designed to allow websites to download and run software on your PC!
.Net is Microsoft's competitor to Java. Like Java it's mainly web-oriented. Like Java it adds additional security risks online. Also like Java, most people using PCs don't actually need it. For anyone who
has not installed .Net-based software, .Net just adds
unnecessary bloat and risk.
This is history repeating itself. Microsoft
defeated Netscape, in part, by making IE more powerful than Netscape. They did that by tying IE into Windows and adding to IE the ability to use ActiveX controls (Windows components). But that strategy
was also flawed. ActiveX was designed for use in both IE and Windows. As a result it was not optimized for either, and it introduced a new class of IE security problems:
system components that could be commandeered through webpage code. Now Microsoft is trying to do the same thing again in their attempt to compete
with "cloud" software. Microsoft are tying their gigantic .Net system into both Windows and IE. Again their strategy holds the promise of highly functional,
"rich" software running through IE. Again it's a fundamentally flawed, unsafe strategy. And again it results in a compromised product: not optimized for Windows and not
safe in the browser.
In fact, with IE9 and IE10 Microsoft seems to be determined to fully return to the problems of the 90's.
IE9 will only run on Windows Vista/7. IE10 will only run on Windows 7. Microsoft is moving to
tie IE deeply into Windows again, and
trying to cast that move as a browser improvement.
Back to Top
Fixing Internet Explorer "security improvement" Nags
The
IE-MD is a utility written specifically for controlling obscure settings in Internet Explorer.
It's somewhat out of date now, especially for people on Windows 10, but may be useful to people
using older IE versions.
As of November, 2011, the
IE-MD was updated to support IE versions 5-8.
IE-MD is a free HTA program. That is, it's a webpage "program" that you run on your PC,
in Internet Explorer. The webpage creates an interface to provide easy buttons and checkboxes that
can be used to adjust numerous harassing, maddening, restricting -- and mostly hidden -- Internet Explorer
settings. (It should work fine with IE9, but IE9 is very limited, only able to run in Windows Vista/7, so it has not
been specifically treated in this update.)
Download IE MD
Back to Top
Note to Scripters: Adjusting Security Settings
Among the security changes that Microsoft has made starting with WinXP SP2 is a
decision to make IE Local Zone security very high - higher, in fact, than security in the
Internet Zone! (If you are not familiar with IE security zones see the "IE/OE Security Model" section below.)
Many people may not notice the Local Zone security change but
it may affect scripters and will affect some of the VBScript samples available from this website.
Microsoft is calling this new security arrangement "Local Machine Lockdown". The default behavior in the past
has been that you would receive a warning prompt when running "unsafe" script in the Local Zone.
With "Local Machine Lockdown" there is no warning. It simply disables active scripting
functionality for files on your computer. It means that any webpage file on your computer that includes active scripting
will not work properly because active scripting and ActiveX (as well as MSJava) will be blocked and
you will not be given a choice in the matter. The setting to control this behavior is hidden.
The one place where it is reasonably safe to use
Internet Explorer - offline - is now the only place where IE has high security!
Help for IE Problems in WinXP and Vista/7
This section is mainly for people, especially scripters, who want to use IE in the Local
Zone (on their PC) without restriction. The information here is generally relevant for Windows XP/Vista/7
with IE6 and later. Each version of IE and each version of Windows has been more complex and restricted
than the last, but many of the issues are common to all versions. See the
IE-MD download for detailed
information and sample code related to IE security and restriction issues.
When Microsoft came out with Windows XP SP2 they added the new "Local Machine Lockdown" (LML)
for Internet Explorer Local Zone security. Microsoft presented LML as an extra security feature with its own Registry setting.
But their official description was not entirely accurate. There are specific LML Registry settings, which can be used to
apply or remove LML restrictions on specific programs, but the LML settings are really a flag rather than a setting.
They dictate how all other security settings are read and interpreted -- whether your security choices for the Local Zone
are respected or secretly overridden by other, hidden settings. Interestingly, Microsoft has actually built in
these hidden settings since XP SP2
for all zones. Although the new function is called "Local Machine
Lockdown", it is really "Total User Choice Override". However, as of this writing the lockdown "feature" seems to
only be applied in the Local Zone.
The Local Machine Lockdown scenario is so ridiculous and complex
that it is difficult to even describe. But for the sake of anyone who wants to
really control
Internet Explorer security, here goes....
Background:
Before Windows XP SP2, IE security settings were already absurdly complex.
There are dozens of settings - which have changed somewhat with each IE release - that apply
to 5 different security "zones". The Local Zone is your PC. The Internet Zone is most other
webpages. Then there are 3 optional zones that can be applied to specific domains. All of these
zone security settings are stored in the Registry, under both HKLM and HKCU keys, in the subkey
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
There are 5 subkeys there, named 0, 1, 2, 3 and 4. According
to
Microsoft's documentation,
with IE6 each of these subkeys contain some 57 settings for the given security zone.
To complicate matters,
the Local Zone (zone 0) is normally hidden on the Internet Options Security tab. So the average person has
no way to actually see or change Local Zone settings. To complicate matters further, there is also
an optional hidden setting that will cause all settings selected by a particular user (stored in the Registry under
HKCU) to be overridden by
an identical set of settings which apply to all users (stored in the Registry under HKLM).
Yet the settings you see in Internet options will still be those you selected -- your
personal settings, which are not actually in effect!
So Internet Explorer security settings are a convoluted, confusing mess that is partially
hidden.
But that was just before Windows XP SP2.
After SP2 the confusion and the mess have doubled.
Microsoft created an entire second set of security zone settings in the Registry. This new set is stored here:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
So now, for any given security setting in IE, such as whether to allow scripting, there are
5 possible zones stored in 4 complete sets of Registry keys. (HKCU normal, HKCU lockdown, HKLM normal
and HKLM lockdown.) That means there are 57 settings
times 5 zones
times 4 sets. That
is,
there are some 1140 Registry values that control Internet Explorer security settings.
Or rather, there are some 1140 Registry values which may or may not be reflected in the Internet Options Security tab. Some security settings are
also spread around, willy-nilly, on the Advanced tab and Privacy tab.
When LML is in effect, all security settings for the Local Zone are read from the
secondary
Lockdown_Zones keys. You can fiddle with Local Zone settings " 'til the cows come home ",
(provided that you even know how to make those settings visible) and it will have no effect.
Also, the way that Microsoft designed the
Lockdown_Zones Registry keys provides an
option in the future to override all user-selected IE security settings for all zones, not just the Local Zone.
The
Lockdown_Zones Registry
keys for all zones are already present and can be used via the Group Policy Editor.
Given the redundant, misleading and generally confusing nature of the entire
Local Machine Lockdown boondoggle, it seems best not to think in terms of LML, but rather to
just think of all IE security settings as requiring 4 Registry values per setting, per zone. In other words, if
you want to change how IE runs locally, forget LML and just set all four versions of the setting,
under both
Zones and
Lockdown_Zones in both HKLM and HKCU.
But wait, that's not all...
Did we say you get 1,140 looney, redundant, confusing, poorly documented settings? Double that! As of Windows XP SP2 you now get over
2,000 security settings, thanks to new
Group Policy settings. To make
a long story short, Microsoft has added an entire duplicate set of IE security settings that are just like
the original Zones and Lockdown_Zones keys in HKLM and HKCU. Each of those 4 keys now has an equivalent with the same Registry path, except
that it's under
\Software\Policies\Microsoft\... instead of under
\Software\Microsoft\... These new "Policies" settings, when present,
override
the "real" IE security settings!
Wait a minute...Give me that again?...
To recap: Imagine that you are using the original version of Windows XP and you want to
disable scripting in Internet Explorer. First of all, it's not that easy. In Firefox you open the settings and uncheck "Enable JavaScript".
In Internet Explorer there are numerous settings: "Initialize and script ActiveX controls not marked as safe", "Script ActiveX controls marked safe for scripting", "Active scripting",
"Allow paste operations via script", "Scripting of Java applets", ...etc. Which one(s) do you want? Most people won't understand the terminology and the Microsofties can't
be bothered to explain them in the IE help. (After all, they don't want you to disable script in the first place. They want to sell you online
services that require script and they want to use script as part of their arsenal to track your online activities, for the purposes of targetted advertising.) But
for the sake of explanation, just pretend for a
moment that IE actually has a setting to disable script. In the original version of XP you need to first decide which zone you're dealing
with. Do you want to change the setting for pages on your PC? On the Internet? On a company intranet? In your Outlook Express email?... (Yes, Outlook Express is part of
this mess, too. Don't ask.) Once you have figured out
which setting you want to change, there are two values in the Registry that must be changed in order to be sure that you have
actually changed the setting. So, IE4/5/6 before XP SP2 was already an unusable tangle of confusing, obscure settings with no
documentation.
Now imagine that you have just installed XP Service Pack 2. As part of that update
Microsoft created a mirror-image set of IE security settings in the Registry. They doubled the settings. Then they doubled them
again. So you now have 8 separate, complete sets of Internet Explorer security settings where there used to be two, and where there should be just one. If it were even possible to disable
script with one IE security setting, you would now need to change 8 different Registry values in order to do so.
How did Internet Explorer security get so messed up?
It's relevant to note here that this problem is multi-facetted. Once one knows just how bizarre the IE
settings have become it's tempting to think that the Microsofties have just plain "gone off the deep end".
But bloat is only one factor.
The LML problem is because Microsoft generally takes the approach that you are not fit to control your own
settings and therefore should not be allowed to.... So your actions will be restricted for your own good.... And you
won't be given control over that. There is a long history of "secret tweaks": deliberately obscured settings known only
to those who are sufficiently curious -- or desperate -- to hunt them down.
The Group Policy settings are part of another Microsoft tradition: All versions of Windows are
basically designed to be corporate workstations for use by employees with limited permissions.
Microsoft doesn't actually make different versions of Windows. They make one version with more or
less functionality added or removed. So, strange as it may seem, there is no such thing as a version of Windows
designed for use by people who own their own PC and have a right to do as they like with it.
Microsoft has always designed IE the same way, with system administrators in mind. The Group Policy
settings, along with the HKLM-override setting, are there so that corporate system administrators can
override employee settings, without the employees knowing it.
The security settings window
itself can even be removed via the Registry. That functionality is how AOL created their browser.
It was just a customized version of IE with some of the settings made unavailable.
For what it's worth... A script to toggle security in Local Zone
A script is being provided here that deals with the mess described above,
presenting a simple option to toggle between restricted security and normal security for
IE in the Local Zone. The script also provides example code that shows how to deal with
these settings under Local Machine Lockdown and with the new "Policies" settings mess. Actually, there are two scripts. One shows how to
set Local Zone, LML and Group Policy settings simultaneously, effectively nullifying LML and the new "Policies" keys. The other script
uses a different Registry setting altogether to exempt IE from LML.
Download IE Local Zone security script
For a more convenient way to deal with this mess, see the
IE-MD page.
About the settings in the Internet Options window
The Internet Options window has become all but useless.
One can make the Local Zone settings visible in XP, but not in Windows 7.
In Windows 7 you can make the Local Zone icon visible, but if you click it nothing happens. Access to the Local Zone settings
is blocked.
You are simply not allowed to adjust local IE security.
But even in XP, where one can access the Local Zone settings, the Local Machine Lockdown mess affects the Local Zone settings view.
You will see either the actual Local Zone settings that you control, but there's no easy way to know whether those settings
are being overridden by the LML settings. (Not to mention the Group Policy settings or the semi-secret HKLM override setting.)
So one really has no choice but to treat IE security settings as
having 8 Registry values per setting, forget about trying to figure out how and where LML
applies, and forget about trying to use the Internet Options window to adjust any of these settings.
Increasingly, only
people intimately familiar with the IE Registry settings can know whether they are really
controlling Internet Explorer security. An interesting discussion along those lines is offered by a Microsoft
blogger here:
http://blogs.msdn.com/alialvi/archive/2006/10/22/why-is-my-computer-zone-hidden-in-inetcpl-in-internet-explorer-and-how-do-i-make-it-show-up.aspx
The blog posting poses the question,
"Why is "My Computer" Zone hidden in inetcpl in Internet Explorer and how do I make it show up?".
(inetcpl is the Internet Options settings window of IE, which is the same thing as Control Panel -> Internet Options.)
The blog author, one Ali Alvi, is on the "Internet Explorer Team". His words provide a good example of two longstanding Microsoft traditions: 1)
Condescension toward their customers and 2) routine creation of unnecessary abstruseness in Microsoft products. Mr. Alvi partially details
the absurd state of IE security settings for the Local Zone, leaving one more confused by the end of his posting than before reading it.
He seems to be unaware of, and unembarrassed by, the sheer preposterousness of his description of IE as something akin to a broken Rube Goldberg
machine. Mr. Alvi then concludes, "I think its (sic) best not to mess with the Local Machine Zone policies at all." Indeed.
Using HTAs
As most scripters probably know, if you rename a webpage file with the
extension .hta instead of htm, html, etc. it becomes an "HTML Application". An HTA is opened
by MSHTA.exe, a wrapper program that encapsulates an IE browser window and has no security
restrictions at all. While HTAs are a potential security risk, and not a realistic way to make webpages
functional on the Desktop, they do provide a very good alternative
for people who want to create HTML/script-based utilities. With an HTA there is no need to
be concerned about LML or IE settings in general. However, expect more problem with restrictions,
even in HTAs, if you update your version of IE past v. 6.
Resources
You can download the SP2 "white papers" from Microsoft
here.
An article about the SP2 changes is
here.
Back to Top
Overview - Windows and the Web, from Active Desktop to Vista/7
As Microsoft's major software products, such as Office and Windows, have reached maturity
(and beyond) the company can no longer depend on constantly expanding sales. In response to that
Microsoft has been moving toward a business model of "web services" - leasing software-based
services that can be billed over and over again, rather than selling software that can be sold only once.
Microsoft has been trying to market an online
version of Office and each new version of Windows moves closer to being a "web service" in itself, taking more
control away from the PC owner and adding more online communication that happens with neither
the consent nor even the informing of the PC owner. (In other words, spyware.)
Windows programming has been moved to ".Net", which is Microsoft's version of Java.
Microsoft has released Silverlight, which is Microsoft's answer to Flash, based on .Net. And Microsoft's Azure
web hosting service is intended for .Net developers who want to host "rich" web services online. All of this
is coming out of the software rental paradigm.
Phew! Thank goodness that we can do our shopping safely at the
Microsoft Live.com Shopping Mall.
Back to Top
An Internet Explorer Option: Radical Control Over the Browser
Despite all the problems with Internet Explorer, some people prefer IE to other browsers, and other people
don't have a choice. As was explained to some extent above, controlling security and privacy in IE is very difficult. But there are
ways to use IE bugs and problems to advantage:
jsPageFilter is a free IE plug-in that allows you to control
the webpages that IE loads. You can filter webpages before IE gets them, on a per-domain basis. In other words, you
can disable script at one site while allowing it at another. You can block 3rd-party images. You can convert webpages
to plain text. That kind of control has always been available, to some extent, in other browsers, but not in IE. Or rather,
that kind of control has been hidden in IE.
jsPageFilter actually takes advantage of IE shortcomings to
give you greater control in IE than any other browser provides.
Go to the jsPageFilter page
for a full explanation and download.
Back to Top
UserAgent Settings - A Bit of Useless Fun
This section covers a tangential topic that may be of interest to some people.
userAgent is a text string that your browser sends to websites that you visit. It identifies
your browser, operating system, and sometimes includes other information. While the userAgent can be easily
changed with most browsers, changing it is not so easy in Internet Explorer.
If you have script enabled in Internet Explorer, your userAgent should be displayed here:
The userAgent or "userAgent string" is a string of text that the browser sends
to the server when requesting a webpage. The UA string includes the browser model and version.
It can sometimes also include other information. For the most part the UA string is harmless.
It just helps the server to give you the right webpage. But you can change the UA string if you
want to pretend to be using another browser for some reason. In the case of Internet Explorer,
you might also want to just clean up the UA string for the sake of privacy and security. Microsoft,
and some other companies, have got carried away adding information to the userAgent string and
you may not want to share some of that information. (Note, though, that if you pretend to be
using, say, Opera when you are really using IE then many websites, including this one, will
not function properly.)
The typical UA string should read something like these
two examples, for IE5 on Windows 2000 and Firefox 1 on Windows XP:
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Mozilla/5.0 (Windows; U; Windows NT 5.1) Gecko/20050915 Firefox/1.0.7
Those UA strings are pretty much self-explanatory. Now look at these two UA string:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; FunWebProducts; (R1 1.5); .NET CLR 1.1.4322)
The first UA string above says that the client is using IE6 on Windows XP ("NT 5.1"), with Service Pack 2 ("SV1").
They are using IE6 with the Maxthon IE skin program, MS Infopath, and they also have the .Net v. 1.1 and v. 2 runtimes
installed.
The second UA string is someone using Windows XP SP2, with IE6, probably running through AOL.
They have the .Net v. 1.1 runtime installed and have picked up some other hangers-on:
something named "FunWebProducts" (probably some sort of adware) and something mysteriously named "R1".
Changing the IE userAgent string:
The first part of the UA string - "Mozilla 4/0" - is used for all versions of IE and for Netscape 4. Mozilla browsers use
"Mozilla 5/0". Opera just uses "Opera". There seems to be no way to change "Mozilla 4/0" in the IE UA string.
The rest of the IE UA string is in parentheses, in the following format:
(compatible; Version; Pre-platform info ; Platform (OS); Post-platform info)
Example:
(compatible; MSIE 6.0; Harry's Adware; Windows NT 5.1; Maxthon)
Those parts of the UA string correspond to Registry settings. These
settings are under:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\
For thoroughness, the values should be set (or removed) in both:
HKEY_LOCAL_MACHINE
and
HKEY_CURRENT_USER
to make sure that a different setting is not overriding the ones you have entered.
In Windows XP, some sources also recommend settings under the following keys,
although it appears to be specific to 64-bit Windows and is not mentioned in the official Microsoft documentation that comes with
their official "IE User Agent String Utility". (The official IE UA String Utility is a UA string adjuster,
which comes packaged in a very official MSI installer, but all it will do is to toggle
the version of IE in Windows XP between IE6 and IE7 for testing purposes.)
HKEY_LOCAL_MACHINE,
SOFTWARE\Wow6432Node\Microsoft\
Windows\CurrentVersion\Internet Settings\
The following Registry values demonstrate how to create this UA string:
Mozilla/4.0 (:-); MSIE 18.0; Finally No Bugs; Okey Dokey; Windows 2029; What a treat!)
Under the key:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\
as detailed above, should be
the following keys and values:
Key:
5.0\User Agent
Value:
"Version" Data:
"MSIE 18.0"
Value:
"Platform" Data:
"Windows 2029"
Value:
"Compatible" Data:
":-)"
Key:
User Agent\Pre Platform
Value:
"Okey Dokey" Data:
""
Value:
"Finally No Bugs" Data:
""
Key:
User Agent\Post Platform
Value:
"What a treat!" Data:
""
Anyone familiar with the Registry will be able to figure out how to clean or edit
their IE UA string from that information. To test your UA string changes, save the following
text as a text file, name it with an "html" extension, and open it in IE:
<HTML> <HEAD> </HEAD> <BODY>
<SCRIPT LANGUAGE="VBScript">
document.write(navigator.userAgent)
</SCRIPT>
</BODY> </HTML>
Back to Top
