So far, we have looked at four categories of security settings that you can configure for IE7’s Security Zones: .NET Framework, Active X Controls and Plug-ins, Downloads, and Java VM. Now let’s take a look at the Miscellaneous, Scripting, and User Authentication categories.
The Miscellaneous category contains a hodgepodge of settings, most of which were added as the result of various security patches and fixes that have been integrated into Internet Explorer over the last couple of years. Each of these settings can be configured as Enable, Disable, or Prompt.
- Access Data Sources Across Domains: Controls cross-domain data access, which can open the door to various spoofing attacks.
- Allow META REFRESH: Controls whether Web pages can use meta-refreshes to reload pages after a preset delay.
- Allow scripting of Internet Explorer web browser control.
- Allow script-initiated windows without size or position constraints.
- Allow Web pages to use restricted protocols for active content.
- Allow Web sites to open windows without address or status bars.
- Display Mixed Content: Controls whether Web pages can display content from both secure and nonsecure servers.
- Don’t Prompt For Client Certificate When No Certificates Or Only One Certificate Exists: Controls whether users are prompted to select a certificate when no trusted certificate or only one trusted certificate has been installed on the computer.
- Drag And Drop Or Copy And Paste Files: Controls whether users can drag and drop files or copy and paste files.
- Include local directory path when uploading files to a server.
- Installation Of Desktop Items: Controls whether users can download and install Active Desktop content.
- Launching applications and unsafe files
- Launching Programs And Files In An IFRAME: Controls whether applications may be run and files may be downloaded from within a floating frame (IFRAME).
- Navigate Subframes Across Different Domains: Designed to prevent frame spoofing, which is defined as inserting a page containing malicious content within a frame on a legitimate Web site.
- Open files based on content, not file extension.
- Software Channel Permissions: Controls whether an e-mail message can be sent with notification of available software for download or whether that software can be installed.
- Submit Nonencrypted For Data: Controls whether data in HTML forms may be submitted. (Keep in mind that this only affects non-SSL form data-any data submitted with SSL encryption is always allowed.)
- Use Phishing Filter.
- Use Pop-Up Blocker.
- Userdata Persistence: Controls how objects persist to data, such as page state in user data.
- Web sites in less privileged web content zone can navigate into this zone.
The Scripting category contains three settings, which allow you to clamp down on malicious scripting activities. Each of these settings can be configured as Enable, Disable, or Prompt.
- Active Scripting.
- Allow programmatic clipboard access.
- Allow status bar updates via script.
- Allow Web sites to prompt for information using scripted windows.
- Scripting Of Java Applets.
Many Web sites and intranet sites require user authentication to gain access. The Logon security setting allows you to control the transmission of authentication information via Internet Explorer with the selection of one of four options.
- Anonymous Logon: Disables authentication and uses guest access.
- Automatic Logon Only with Intranet Zone: Automatically logs on all sites in the Intranet zone with the current session username and password; also issues prompts for username and password for sites in all other zones.
- Automatic Logon With Username And Password: Configures Internet Explorer with the current session username and password.
- Prompt For Username And Password: Configures Internet Explorer to always prompt for a username and a password.