Have you ever wonder what all those “Custom Security Settings” do in Internet Explorer 7 and what the impact will be if you change them? In the version of Internet Explorer 7 I’m using I counted 47 different custom settings that can be modified. While the impact of some of the settings are fairly obvious (for example turning the phishing filter on or off or enabling file downloads), some are much more obscure: what happens if you enable “Allow META REFRESH”? In this series of articles, we’ll look at each of these settings and provide you with a guide on what does what and which options you should tweak and which options might be best to leave alone. In this article, we’ll look at the settings under the .NET Framework sections.
To access the Custom Security Settings click on Tools, Internet Options then click on the Security tab [Image1]. Make sure the Internet zone is selected then click on the Custom level button [Image2]. The Default level button will return you to the settings to which Internet Explorer 7 defaults on a fresh installation.
There are two .NET Framework sections that contain properties that can be modified. The two sections are titled, .NET Framework and .NET Framework-reliant components. Let’s look at the settings under each of these sections in turn.
The default setting for this is Enable and there is no need to change this. This setting determines whether Internet Explorer 7 can navigate to and load XAML files (which is an acronym for Microsoft’s new Extensible Application Markup Language which is the language that drives their Windows Presentation Foundation–WPF–graphics subsystem). A XAML file is considered “loose” if Internet Explorer can’t identify the file using a “pack URI.” A pack (short for “package”) URI bundles various file information that can be used by WPF to navigate, locate files, load files, and specify the user interface to show when the file loads. (Source: MSDN)
XAML browser applications
The default setting for this is Enable and there is no need to change this. This setting determines whether Internet Explorer 7 can navigate to and load XBAPs. XBAP stands for XAML Browser Application and is described by Microsoft as a “rich-client application.” Essentially, it is a program that can be served from a web site but can take advantage of the power of WPF which is installed on the user’s Windows computer to deliver graphics and functionality similar to what you’d get in a desktop application using WPF. XBAP applications can only run in the Internet zone and so leverages a subset of WPF functionality making them more secure than a desktop application delivered via the web. (Source: MSDN)
The default setting for this is Enable and there is no need to change this. This setting determines whether Internet Explorer 7 can load XPS documents. These documents use Microsoft’s XML Paper Specification document format which they are positioning as a direct competitor to Adobe’s PDF format. Since XPS documents don’t contain a macro engine or run code, they’re fairly safe.
Permissions for components with manifests
The options for this setting are Disable and High Safety with the latter being default. Again, there is no reason to change this setting. When a .NET web application is written, the developer has the option of deploying the component as a “ClickOnce” application which makes it easier for the user to install the component. ClickOnce applications include an application manifest which is an XML file that includes information about the component including the trust level under which the component should run (for more information, see my article on Internet Explorer Protected Mode here). The setting “High Safety” means that the component is not allowed to elevate it’s permissions and as long as it’s not requesting an elevation or is delivered with a certificate signed by a trusted publisher, it will be allowed to run. Disabling this setting will prevent components with manifests to run at all. (Source: MSDN)
Run components not signed with Authenticode
The default setting for this is Enable and there is no need to change this. This setting specifies that code being downloaded that do not have a certificate signed by a Trusted Certificate Authority such as Verisign, should be allowed to run. While code signing is a good idea, it can be expensive and many legitimate developers choose not to sign their code. If you are having problems with malware, you may want to change this setting to Prompt until you get things cleared up.
Run components signed with Authenticode
The default setting for this is Enable and there is no need to change this. Components signed with an Authenticode certificate generally are safer than those not signed because certificate authorities are supposed to verify that the certificate owner is legitimate. It is generally safe to run code signed with an Authenticode certificate.
More to Come…
That takes care of the first two sections in Internet Explorer 7’s Custom Security settings. I’ll be working through each of the remaining sections in future articles.