| Security Setting |
Our Recommended Custom Settings |
Comments |
| .NET Framework |
Restricted Zone |
Internet Zone |
Trusted Sites |
Local Intranet |
|
| Loose XAML |
Dis |
Dis |
Pro |
En |
|
| XAML browser applications |
Dis |
Dis |
Pro |
En |
|
| XPS documents |
Dis |
Dis |
Pro |
En |
XPS documents replace the MDI format that was used by Windows Document Imaging. |
| .NET Framework-Reliant Components |
Restricted Zone |
Internet Zone |
Trusted Sites |
Local Intranet |
|
| Permissions for components with manifests |
Dis |
Dis |
Hi |
Hi |
|
| Run components not signed with Authenticode |
Dis |
Dis |
Pro |
En |
|
| Run components signed with Authenticode |
Dis |
Dis |
En |
En |
|
| ActiveX Controls and Plug-Ins |
Restricted Zone |
Internet Zone |
Trusted Sites |
Local Intranet |
|
| Allow previously unused ActiveX controls to run without prompt |
Dis |
Dis |
Dis |
En |
|
| Allow Scriptlets |
Dis |
Dis |
Dis |
En |
|
| Automatic prompting for ActiveX controls |
Dis |
Dis |
Dis |
En |
This means automatically prompt the remote server to begin the download, not automatically prompt you to OK the download. |
| Binary and script behaviors |
Dis |
Dis |
En |
En |
|
| Display video and animation on a webpage that does not use external media player |
Dis |
Dis |
Dis |
Dis |
|
| Download signed ActiveX controls |
Dis |
Dis |
Pro |
Pro |
|
| Download unsigned ActiveX controls |
Dis |
Dis |
Dis |
Dis |
|
| Initialize and script ActiveX controls not marked as safe for scripting |
Dis |
Dis |
Dis |
Dis |
|
| Run ActiveX controls and plug-Ins |
Dis |
Dis |
En |
En |
|
| Script ActiveX controls marked safe for scripting |
Dis |
Dis |
En |
En |
Allows manipulation of the characteristics or operation of an ActiveX control using scripts. If ActiveX controls are enabled but this is disabled, it allows the control but disables the script. |
| Downloads |
Restricted Zone |
Internet Zone |
Trusted Sites |
Local Intranet |
|
| Automatic prompting for file downloads |
Dis |
Dis |
Dis |
En |
Automatically prompt the remote computer to start the download (without asking your consent). If this is Disabled, you get the "Some files can harm your computer" warning and must manually OK the download. |
| File download |
Dis |
Dis |
En |
En |
If Disabled, downloads are prohibited. If you launch a download, you are told it is not allowed, and cannot override it. Before the download, add the site to Trusted Sites, where you allow downloads. |
| Font download |
Dis |
Dis |
En |
En |
|
| Enable .NET Framework setup |
Dis |
Dis |
En |
En |
|
| Miscellaneous |
Restricted Zone |
Internet Zone |
Trusted Sites |
Local Intranet |
|
| Access data sources across domains |
Dis |
Dis |
Dis |
Pro |
|
| Allow META REFRESH |
Dis |
Dis |
En |
En |
Enables the code in a web page to automatically redirect your browser to another web page instead of the one you thought you were going to. |
| Allow scripting of Internet Explorer web browser control |
Dis |
Dis |
Dis |
En |
|
| Allow script-initiated windows without size or position constraints |
Dis |
Dis |
Dis |
En |
|
| Allow Web pages to use restricted protocols for active content |
Dis |
Dis |
Pro |
Pro |
|
| Allow websites to open windows without address or status bars |
Dis |
Dis |
Dis |
En |
|
| Display mixed content |
Dis |
Pro |
Pro |
Pro |
Some web pages contain a mixture of secure (encrypted https) and nonsecure (http) content. When entering sensitive data into a form (credit card info, etc.), you should not allow the unsecured content to be displayed. This ensures that the form will be fully encrypted when sent back to the website.
In practice, however, many websites are careless about serving https pages that have on them images from one of their other (http) servers, which causes IE to give the mixed content warning. If you are not entering sensitive data, this is not a security concern. |
| Don't prompt for client certificate selection when no certificates or only one certificate exists |
Dis |
Dis |
Dis |
En |
|
| Drag and drop or copy and paste files |
Dis |
Dis |
Pro |
En |
|
| Include local directory path when uploading files to a server |
Dis |
Dis |
En |
En |
|
| Installation of desktop items |
Dis |
Dis |
Pro |
Pro |
|
| Launching applications and unsafe files |
Dis |
Dis |
Pro |
En |
|
| Launching programs and files in an IFRAME |
Dis |
Dis |
Pro |
Pro |
|
| Navigate sub-frames across different domains |
Dis |
Dis |
Dis |
En |
|
| Open files based on content, not file extension |
Dis |
Dis |
En |
En |
This is MIME-sniffing. When enabled, a file that the server says is text, but that IE detects is actually a movie or other media type, may be "promoted" (in the Internet Explorer cache) to its actual (and potentially less safe) detected type so it can play. When this is disabled, a text file is treated as text regardless of the MIME type detected by IE, so potentially unsafe files don't get automatically promoted to a less safe type. If you try to download a media file and it displays as garbage text in your browser, this setting is the likely reason. It is especially common because the MIME types for Windows media files (.wma, .wmv) are not automatically known to Linux/Apache servers, and many webmasters don't know how to set up the correct MIME types. |
| Software channel permissions |
Hi |
Hi |
Med |
Med |
|
| Submit nonencrypted form data |
Dis |
En |
En |
En |
When entering sensitive information, you should make sure that the form is encrypted: the page is https and you get no warning about "mixed content".
However, most forms you fill out are not sensitive, and when this is set to Prompt, the constant warnings are a nuisance. This setting is in red to indicate that you must make a judgment call when filling out a form: is this information sensitive enough that I should not fill it out because it isn't encrypted? When it is not encrypted, anyone eavesdropping along the path it takes back to the server can intercept and read it. |
| Use Phishing Filter |
En |
En |
En |
Dis |
|
| Use Pop-up Blocker |
En |
En |
En |
Dis |
"Using" it is different from turning it on. You can leave this En, but then turn it off via the Tools menu in the toolbar. |
| Userdata persistence |
Dis |
Dis |
En |
En |
|
| Web sites in less privileged web content zone can navigate into this zone |
Dis |
Dis |
En |
En |
|
| Scripting |
Restricted Zone |
Internet Zone |
Trusted Sites |
Local Intranet |
|
| Active scripting |
Dis |
Dis |
En |
En |
This refers to JavaScript and VBScript. Many websites use these, but rarely for anything important. On the other hand, many viruses are written with JS and VBS, so scripting should always be disabled in the Internet Zone, for sites you have never visited before. About 96% of web surfers leave scripting enabled all the time, which puts them at unnecessary risk of infection. TURN SCRIPTING OFF! Most of the time you don't need it, and when you do need it, you can put the site in the Trusted Sites zone. |
| Allow Programmatic clipboard access |
Dis |
Dis |
Pro |
En |
Do not allow websites to see what you have in your clipboard. |
| Allow status bar updates via script |
Dis |
Dis |
Dis |
En |
Prevents websites from fooling you by modifying what it shown in the status bar at the bottom of the page. It is supposed to show the destination of links. Don't let websites change it to show you a destination that is different from the real one. |
| Allow websites to prompt for information using scripted windows |
Dis |
Dis |
Dis |
En |
|
| Scripting of Java applets |
Dis |
Dis |
En |
En |
Sun Java is completely different from JavaScript (see Active scripting, above), but Java applets (applications written in Sun Java) should also be disabled at sites you've never visited before. |
| User Authentication - Logon |
Prompt for user name and password |
Prompt for user name and password |
Automatic logon only in Intranet Zone |
Automatic logon only in Intranet Zone |
|
| |
Restricted Zone |
Internet Zone |
Trusted Sites |
Local Intranet |
