4 Comments

Internet Explorer 7 Security Settings

Written by:  • Edited by: Aaron R.
Updated Aug 18, 2008 • Related Guides: Microsoft | Internet Explorer 7 | Internet Explorer

Have you ever wondered what those Custom Security Settings in Internet Explorer 7 are all about? In this series of articles we'll find out. I'll also be making some recommendations on how to configure these custom settings.

Have you ever wonder what all those "Custom Security Settings" do in Internet Explorer 7 and what  the impact will be if you change them? In the version of Internet Explorer 7 I'm using I counted 47 different custom settings that can be modified. While the impact of some of the settings are fairly obvious (for example turning the phishing filter on or off or  enabling file downloads), some are much more obscure: what happens if you enable "Allow META REFRESH"? In this series of articles, we'll look at each of these settings and provide you with a guide on what does what and which options you should tweak and which options might be best to leave alone. In this article, we'll look at the settings under the .NET Framework sections.

To access the Custom Security Settings click on Tools, Internet Options then click on the Security tab [Image1]. Make sure the Internet zone is selected then click on the Custom level button [Image2]. The Default level button will return you to the settings to which Internet Explorer 7 defaults on a fresh installation.

There are two .NET Framework sections that contain properties that can be modified. The two sections are titled, .NET Framework and .NET Framework-reliant components. Let's look at the settings under each of these sections in turn.

Loose XAML

The default setting for this is Enable and there is no need to change this. This setting determines whether Internet Explorer 7 can navigate to and load XAML files (which is an acronym for Microsoft's new Extensible Application Markup Language which is the language that drives their Windows Presentation Foundation--WPF--graphics subsystem). A XAML file is considered "loose" if Internet Explorer can't identify the file using a "pack URI." A pack (short for "package") URI bundles various file information that can be used by WPF to navigate, locate files, load files, and specify the user interface to show when the file loads. (Source: MSDN)

XAML browser applications

The default setting for this is Enable and there is no need to change this. This setting determines whether Internet Explorer 7 can navigate to and load XBAPs. XBAP stands for XAML Browser Application and is described by Microsoft as a "rich-client application." Essentially, it is a program that can be served from a web site but can take advantage of the power of WPF which is installed on the user's Windows computer to deliver graphics and functionality similar to what you'd get in a desktop application using WPF.  XBAP applications can only run in the Internet zone and so leverages a subset of WPF functionality making them more secure than a desktop application delivered via the web. (Source: MSDN)

XPS documents

The default setting for this is Enable and there is no need to change this. This setting determines whether Internet Explorer 7 can  load XPS documents. These documents use Microsoft's XML Paper Specification document format which they are positioning as a direct competitor to Adobe's PDF format. Since XPS documents don't contain a macro engine or run code, they're fairly safe.

Permissions for components with manifests

The options for this setting are Disable and High Safety with the latter being default. Again, there is no reason to change this setting. When a .NET web application is written, the developer has the option of deploying the component as a "ClickOnce" application which makes it easier for the user to install the component. ClickOnce applications include an application manifest which is an XML file that includes information about the component including   the trust level under which the component should run (for more information, see my article on Internet Explorer Protected Mode here). The setting "High Safety" means that the component is not allowed to elevate it's permissions and as long as it's not requesting an elevation or is delivered with a certificate signed by a trusted publisher, it will be allowed to run. Disabling this setting will prevent components with manifests to run at all. (Source: MSDN)

Run components not signed with Authenticode

The default setting for this is Enable and there is no need to change this. This setting specifies that code being downloaded that do not have a certificate signed by a Trusted Certificate Authority such as Verisign, should be allowed to run. While code signing is a good idea, it can be expensive and many legitimate developers choose not to sign their code. If you are having problems with malware, you may want to change this setting to Prompt until you get things cleared up.

Run components signed with Authenticode

The default setting for this is Enable and there is no need to change this. Components signed with an Authenticode certificate generally are safer than those not signed because certificate authorities are supposed to verify that the certificate owner is legitimate. It is generally safe to run code signed with an Authenticode certificate.

More to Come...

That takes care of the first two sections in Internet Explorer 7's Custom Security settings. I'll be working through each of the remaining sections in future articles.

Resources

  • http://25yearsofprogramming.com/blog/2008/20080524.htm
  • http://blogs.msdn.com/shawnfa/archive/2007/03/07/specifying-permissions-for-ie-controls-in-orcas.aspx
  • http://msdn.microsoft.com/en-us/library/aa970069.aspx
  • http://msdn.microsoft.com/en-us/library/aa970906.aspx

    • Series Index

    Internet Explorer Security Settings - ActiveX Controls

    Images

    Image1Image2
    Next Article »
    We Also Recommend...

    Comments

    Showing all 4 comments
     
    Kell Jan 14, 2010 11:13 AM
    Run components not signed with Authenticode
    So are we best changing this or not? Microsoft states that Enabling this may increase our security risks, and may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. Microsoft recommends Enabling it only if we really require this process.
    It also explains that any application that uses ClickOnce technology over the Internet or over an intranet, allows a user on a client computer to click Install or Run on a published page.
    Raven Nov 21, 2009 9:09 AM
    Oops
    My mistake on my previous comment... I thought this was a different article. There is another article on the ActiveX settings in IE7, that is very similar to this one and is written in the exact same writing style so that one can barely tell the difference. Unlike this article, it is 2 pages long.
    Raven Nov 21, 2009 9:06 AM
    Where??!?
    This is a reasonably good guide; it is a very good guide for the settings it actually explains, but of course not helpful for the ones ot doesn't (such as, "Behaviors: The 'behaviors' setting refers to a type of code which does certian things." Um... duh?? However, the ones that do are great. But all of the links are broken! Where do I find the rest of the settings? Since the amount of options in this area is very low, they should really all be in one article. Please e-mail me if someone knows the links to where these broken links are supposed to lead!
    Eve Parks Nov 19, 2009 6:22 AM
    Internet Security Settings
    This series of articles is extremely helpful!!! Thank you for the explanations, which I have not found anywhere else online. Having read Articles 1 & 2, I look forward to your writing about the remaining options under security settings.
     
    blog comments powered by Disqus
    Security & Privacy
    FEATURED AUTHORS
    Brian Healy Aaron R. Finn Orfano Senadheera Jayakody
    Anurag Ghosh Christian Cawley Regina Woodard Ryan Tetzlaff
    Most Popular Articles
    Email to a friend