Share via


Internet Explorer 7 and Resulting Internet Communication in Windows Vista

In This Section

Benefits and Purposes of Internet Explorer 7

Steps for Planning and Deploying Configurations for Internet Explorer 7

Examples of the Security-Related Features Offered in Internet Explorer 7

Resources for Learning About Topics Related to Security in Internet Explorer 7

Procedures for Controlling Internet Explorer in Windows Vista

Section Summary

This section provides information about:

  • The benefits of Microsoft Internet Explorer 7 in Windows Vista.

  • Steps for planning and deploying configurations for Internet Explorer 7 in a way that balances your users’ requirements for Internet access with your organization’s requirements for protection of networked assets.

  • Examples of the security-related features offered in Internet Explorer 7.

    Note that Phishing Filter, one of the security-related features in Internet Explorer 7, is described in Phishing Filter and Resulting Internet Communication in Windows Vista, later in this white paper.

  • Resources for learning about topics related to security in Internet Explorer 7. This includes resources that help you learn about:

    • Security and privacy settings in Internet Explorer 7.

    • Mitigating the risks inherent in Web-based applications and scripts.

    • Methods for controlling the configuration of Internet Explorer 7 in your organization by using Group Policy, the Internet Explorer Administration Kit (IEAK), or both.

  • Information about specifying the Web browser in Windows Vista and for controlling whether users have access to Internet Explorer. There are several ways to do this:

    • During unattended installation.

    • With the Default Programs interface.

  • Information about setting the security level to High for specific Web sites.

Note

This section of this white paper describes Internet Explorer 7, but it does not describe the related feature, Windows Mail (the e-mail feature in Windows Vista), Content Advisor, or the wizard for making a connection to the Internet. It also does not describe the Phishing Filter in Internet Explorer or error reporting for Internet Explorer. For information about these features, see the following sections of this white paper:

It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users perform such actions as connecting to Web sites, running software from the Internet, or downloading items from the Internet. This section, however, provides overview information as well as suggestions for other sources of information about how to balance users’ requirements for Internet access with your organization’s requirements for protection of networked assets.

For more information about Internet Explorer, see the following resources:

Benefits and Purposes of Internet Explorer 7

Internet Explorer 7 in Windows Vista is designed to make it easy to browse and interact with sites on an intranet or on the Internet. It differs from most of the other features described in this white paper in that its main function is to communicate with sites on the Internet or an intranet (which contrasts with features that communicate with the Internet in the process of supporting another activity).

Internet Explorer 7 is also designed to be highly configurable, with security and privacy settings that can protect your organization’s networked assets while at the same time provide users with access to useful information and tools. With an understanding of the settings and options available in Internet Explorer 7, you can choose the settings appropriate to your organization’s requirements and create a plan for one or more standard Internet Explorer configurations. After planning your standard configurations, you can use deployment tools to deploy and maintain them. The subsections that follow provide more information about these steps.

Steps for Planning and Deploying Configurations for Internet Explorer 7

This section outlines a list of steps that can help you deploy Internet Explorer 7 in a way that provides users with Internet access, while at the same time providing your organization’s networked assets with an appropriate level of protection from the risks inherent on the Internet. (If you prefer to prevent access to Internet Explorer 7, see "Procedures for Specifying the Web Browser in Windows Vista," later in this section.)

A recommended set of steps is:

  • Assess the other elements in your security plan that will work together with Internet Explorer 7 to provide users with access to the Internet while still providing an appropriate degree of protection for your organization’s networked assets. These elements include:

    It is beyond the scope of this white paper to provide detailed recommendations for these security elements. For more information about security, see the references listed in the introduction, as well as the documentation for your proxy server, firewall, virus-protection software, and other software you use to protect networked assets.

  • Learn about the security-related features offered in Internet Explorer 7. Some of these features are described in "Examples of the Security-Related Features Offered in Internet Explorer 7," later in this section. Using information about these features, identify those that are of most value for your business and security requirements.

  • Learn how to configure security settings in Internet Explorer 7, as described in "Learning About Security and Privacy Settings in Internet Explorer 7," later in this section.

  • Learn about ways to mitigate the risks inherent in code that can be run through a browser, as described in "Learning About Mitigating the Risks Inherent in Web-based Applications and Scripts," later in this section.

  • After gathering information about the previous three items (security-related features, security settings, risks inherent in code), plan one or more standard Internet Explorer configurations for the desktops in your organization.

  • Learn about ways of controlling the configuration of Internet Explorer 7 across your organization:

    • Learn about using Group Policy to control the configuration of Internet Explorer 7 on desktops across your organization, as described in "Learning About Group Policy Objects that Control Configuration Settings for Internet Explorer 7," later in this section.

    • Learn about the deployment technologies available in the Internet Explorer Administration Kit (IEAK) 7 to create a customized Internet Explorer package to deploy in your organization. The IEAK is briefly described in "Learning About the Internet Explorer Administration Kit," later in this section.

    Using the information about Group Policy and the IEAK, create a plan for deploying and maintaining your standard Internet Explorer configurations.

Preventing Access to Internet Explorer 7

For information about preventing access to Internet Explorer 7 in Windows Vista, see "Procedures for Specifying the Web Browser in Windows Vista," later in this section.

This subsection describes enhancements in some of the security-related features in Internet Explorer 7. Some of the features are added since Internet Explorer 6 and some have been continued from Internet Explorer 6.

Some of the security-related features that have been added since Internet Explorer 6 include:

  • Microsoft Phishing Filter: Internet Explorer 7 includes functionality to help protect against phishing Web sites that attempt to trick users into revealing personally identifiable information. The Microsoft Phishing Filter is described in Phishing Filter and Resulting Internet Communication in Windows Vista.

  • Protected Mode: Windows Vista Protected Mode helps reduce the severity of threats to both Internet Explorer and Internet Explorer add-ons by requiring user interaction for actions that would affect the operating system. Even if the user gives permission, Internet Explorer can affect only areas directly controlled by the user, meaning a more secure locked-down environment. This feature takes advantage of the Windows Vista Integrity mechanism and User Interface Privilege Isolation (UIPI) to block interaction from Internet Explorer with higher integrity applications system resources. Protected Mode also includes compatibility features that allow most extensions to continue running with no changes and provide impacted extensions with clear alternative options.

  • Secure Sockets Layer (SSL): Internet Explorer 7 makes it easier to see whether Web transactions are secured by SSL or Transport Layer Security (TLS). A security report icon appears to the right of the address bar when you view a page using a Secure Hypertext Transfer Protocol (HTTPS) connection. Clicking this icon displays a report describing the certificate used to encrypt the connection and the certification authority that issued the certificate. The security report also provides links to more detailed information. Internet Explorer 7 also supports High Assurance certificates, giving further guidance to users that they are, in fact, communicating with a verified organization. This verification will be granted by existing certification authorities and show up in the browser as a clear green fill in the address bar.

  • Microsoft ActiveX Opt-In: Internet Explorer 7 disables all ActiveX controls that were not used in Internet Explorer 6 and all ActiveX controls that are not flagged for use on the Internet. When users encounter an ActiveX control for the first time, they see a gold bar asking if they want to use the control. Users can then selectively allow or prevent running the control. Note that by default, the ActiveX opt-in does not apply to Intranet and Trusted Site zones; controls on those zones, including a short list of preapproved controls, run without prompting.

The following list names some of the security-related features that have been continued from Internet Explorer 6. Documentation for either Internet Explorer 6 or Internet Explorer 7 describes these features in more detail:

  • A Privacy tab that provides flexibility in blocking and allowing cookies based on the Web site that the cookie came from or the type of cookie. Types of cookies include first-party cookies, third-party cookies, and cookies that do not have a compact privacy policy.

  • Security settings that define "Security Zones" and for each zone, provide control over the way that Internet Explorer 7 handles higher-risk items such as ActiveX controls, downloads, and scripts.

  • Support for content-restricted inline floating frames (IFrames). This type of support enables developers to implement IFrames in a way that makes it more difficult for malicious authors to start e-mail-based or content-based attacks.

  • A configurable pop-up blocker that helps you control pop-ups.

  • An improved interface for managing add-ons (programs that extend the capabilities of the browser).

For more information about features available in Internet Explorer, see the information in the next subsection, as well as the Internet Explorer page on the Microsoft Web site at:

https://www.microsoft.com/windows/ie/

This subsection lists resources that can help you learn about the following topics related to security in Internet Explorer 7:

  • Security and privacy settings available in Internet Explorer 7

  • Methods for mitigating the risks inherent in Web-based programs and scripts

  • Ways to use Group Policy objects that control configuration settings for Internet Explorer 7

  • The Internet Explorer Administration Kit

In addition, for information about unattended installation, see the resources listed in Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Vista.

Learning About Security and Privacy Settings in Internet Explorer 7

Some important sources of detailed information about the security and privacy settings in Internet Explorer 7 in Windows Vista are as follows:

In addition, the privacy statement for Internet Explorer 7 includes information about some of the features in Internet Explorer 7. This privacy statement is on the Microsoft Web site at:

https://go.microsoft.com/fwlink/?LinkId=70681

Learning About Mitigating the Risks Inherent in Web-based Applications and Scripts

In a network-based and Internet-based environment, code can take a variety of forms including scripts within documents, scripts within e-mail messages, or applications or other code objects running within Web pages. This code can move across the Internet and is sometimes referred to as "mobile code." Configuration settings provide ways for you to control how Internet Explorer 7 responds when a user tries to run mobile code.

Two examples of the ways you can customize the Internet Explorer configuration deployed in your organization are as follows:

  • You can control the code (in ActiveX controls or in scripts, for instance) that users can run. Do this by customizing Authenticode® settings, which can, for example, prevent users from running any unsigned code or enable them to only run code signed by specific authors. For more information, see information about code signing on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=71300

  • If you want to permit the use of ActiveX controls, but you do not want users to download code directly from the Internet, you can specify that when Internet Explorer 7 looks for a requested executable, it goes to your own internal Web site instead of the Internet. You can do this by changing the registry key that specifies an Internet search path for Internet-based code:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Internet Settings\CodeBaseSearchPath

    This registry key usually contains the keyword CODEBASE, which allows software to specify its own Internet search path for downloading components (that is, when CODEBASE is present, calls to CoGetClassObjectFromURL check the szCodeURL location for downloading components). After CODEBASE, the CodeBaseSearchPath registry key usually lists additional URLs in the Internet search path, with each URL enclosed in angle brackets and separated by a semicolon. If you remove CODEBASE from the registry key and instead specify a site on your own intranet, software will check that site, not an Internet site, for downloadable components. The URL specified in CodeBaseSearchPath will receive an HTTP POST request with data in the following format and respond with the object to install and load.

    CLSID={class id}
    Version=a,b,c,d
    MIMETYPE=mimetype
    

    For more information, see the following MSDN topic about Internet Component Download, and search for all instances of CodeBaseSearchPath:

    https://go.microsoft.com/fwlink/?LinkId=75005

For more information about how a particular Microsoft programming or scripting language works, see the MSDN Web site at:

https://msdn.microsoft.com/

Learning About Group Policy Objects that Control Configuration Settings for Internet Explorer 7

You can control configuration settings for Internet Explorer 7 by using Group Policy objects (GPOs) on servers running Windows Server 2003. (You can also control the configuration of Internet Explorer by using the Internet Explorer Administration Kit. For more information, see "Learning about the Internet Explorer Administration Kit," later in this section.) For sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows Vista in this white paper.

To learn about specific Group Policy settings that can be applied to computers running Windows Vista, see the following sources of information:

Learning About the Internet Explorer Administration Kit

Using the Internet Explorer Administration Kit (IEAK), you can create a customized Internet Explorer package for use in your organization. You can then deploy your customized package using standard means such as network shares, intranet sites, media such as CDs, or through a system management solution, such as Microsoft Systems Management Server 2003 R2. (You can also control the configuration of Internet Explorer by using Group Policy. For more information, see "Learning About Group Policy Objects that Control Configuration Settings for Internet Explorer 7," earlier in this section.)

A few of the features and resources in the IEAK include:

  • Internet Explorer Customization Wizard. Step-by-step screens guide you through the process of creating customized browser packages that can be installed on client desktops.

  • IEAK Profile Manager. After you deploy Internet Explorer, you can use the IEAK Profile Manager to change browser settings and restrictions automatically.

  • IEAK Toolkit. Contains a variety of helpful tools, programs, and sample files.

  • IEAK Help. Includes many conceptual and procedural topics that you can view by using the Contents and Search tabs. You can also print topics from IEAK Help.

For more information about the IEAK, see TechNet Web pages at:

https://go.microsoft.com/fwlink/?LinkId=71520

Procedures for Controlling Internet Explorer in Windows Vista

The following subsections provide procedures for carrying out two types of tasks:

  • Controlling the browser available for use in Windows Vista

  • Setting the security level for specific Web sites

Procedures for Controlling the Web Browser Available for Use in Windows Vista

This subsection provides information about controlling the browser available for use in Windows Vista, for situations where you do not want users to have access to Internet Explorer, or where you want users to use another Web browser exclusively. Methods of controlling browser availability include:

  • During unattended installation, with an answer file

  • Through the Default Programs interface

To Specify a Browser During Unattended Installation by Using an Answer File

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Vista.

  2. Confirm that your answer file includes the following lines. If you already have a <ClientApplications> section in your answer file, the "Internet" line (the line containing the path to your browser) should be included in the <ClientApplications> section rather than repeating the section.

        <ClientApplications>

            <Internet>path_to_browser</Internet>

        </ClientApplications>

    For path_to_browser, specify the path to your Web browser.

To Remove Visible Entry Points to Internet Explorer During Unattended Installation by Using an Answer File

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Vista.

  2. Confirm that your answer file includes the following lines. If you already have a <WindowsFeatures> section in your answer file, the "ShowInternetExplorer" line should be included in the <WindowsFeatures> section rather than repeating the section.

       <WindowsFeatures>

            <ShowInternetExplorer>false</ShowInternetExplorer>

       </WindowsFeatures>

Note

This procedure removes visible entry points to Internet Explorer, but it does not prevent Internet Explorer from running.

To Specify a Browser Through the Default Programs Interface

  1. Click Start, click Default Programs, and then click Set program access and computer defaults.

  2. Click the Custom button.

Note

Alternatively, you can click the Non-Microsoft button, which will not only remove visible entry points to Internet Explorer, but also to Windows Mail and Windows Media® Player. If you do this, skip the remaining steps of this procedure.

  1. To disable access to Internet Explorer on this computer, to the right of Internet Explorer, clear the check box for Enable access to this program.

  2. If you want a different default Web browser to be available to users of this computer, select the Web browser from the options available.

Note

For step 4, if your Web browser does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see the MSDN Web site at:

<https://go.microsoft.com/fwlink/?linkid=29306>  
  

Procedures for Setting the Security Level to High for Specific Web Sites

The procedures that follow provide information about how to set the security level for a particular Web site to High, which prevents actions such as running scripts and downloading files from the site. For information about planning a configuration for your organization to control whether Internet Explorer allows downloads or allows plug-ins, ActiveX controls, or scripts to run, see “Examples of the Security-Related Features Offered in Internet Explorer 7” and “Learning About Security and Privacy Settings in Internet Explorer 7,” earlier in this section.

To Configure a Specific Computer with a Security Level of High for Specific Sites

  1. On the computer on which you want to configure a security level of High for specific sites, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

  2. Select Restricted sites.

  3. Under Security level for this zone, make sure the slider for the security level is set to High. If the security level for the zone is Custom, click Default Level and make sure the slider for the security level is set to High.

    You can view the individual settings that make up High security by clicking Custom Level. For example, click Custom Level and then scroll down to confirm that for High security, the settings for active scripting and for file download are both disabled. After viewing the settings, click Cancel.

  4. With Restricted sites still selected, click Sites.

  5. In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type:

    http://*.Example.com

  6. Click the Add button.

To Use Group Policy to Set the Security Level to High for Specific Sites that Users in Your Organization Might Connect To

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.

  2. In Group Policy, expand User Configuration, expand Windows Settings, expand Internet Explorer Maintenance, and then click Security.

  3. In the details pane, double-click Security Zones and Content Ratings.

  4. Under Security Zones, click Import the current security zones and privacy settings, and then click Modify Settings.

  5. Select Restricted sites.

  6. Under Security level for this zone, make sure the slider for the security level is set to High. If the security level for the zone is Custom, click Default Level and make sure the slider for the security level is set to High.

    You can view the individual settings that make up High security by clicking Custom Level. For example, click Custom Level and then scroll down to confirm that for High security, active scripting and file downloads are both disabled. After viewing the settings, click Cancel.

  7. With Restricted sites still selected, click Sites.

  8. In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type:

    http://*.Example.com

  9. Click the Add button.