Sign in with
Sign up | Sign in
Your question

IE Disinformation bar woes

Last response: in Windows XP
Share
Anonymous
a b 8 Security
February 15, 2005 8:34:19 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I've got Win XP Pro (with all patches) and I've written
a simple .htm file, shown below. My IE 6 insists on
showing me the information bar ("To help protect your
security, Internet Explorer has restricted this file from
showing active content that could access your computer.
Click here for options...") each time I double click on this
file, and it is bugging the heck out of me since it takes
THREE ADDITIONAL clicks to actually get a file
showing properly (even one would be too many). For
anyone doing development work this is a horrible
situation.

If I click on the "information bar" (should be called
content bar, since it's barring content) help, about 1/3
of the way down it tells me that I can "stop blocking
file and software downloads with the Information Bar"
by going to Control Panel -> Internet Options -> Security
tab -> select My Computer (which I've enabled to be
shown by reading http://support.microsoft.com/?kbid=315933
and then changing HKEY_CURRENT_USER\SOFTWARE\
Microsoft\Windows\Current Version\Internet Settings\Zones\0\
Flags from (hex) 21 to 47)
Then click Custom Level. and 'under ActiveX controls and plug-ins' ->
'Automatic prompting for ActiveX controls' I clicked enable.
In addition, under the Advanced tab of Internet Options,
near the bottom under the Security section I have checked:
Allow active content to run in files on My Computer.
None of this has worked for me.

Can someone advise me where the appropriate setting is
to get rid of this massive annoyance. I'm even happy
adding the list of files (or maybe a directory) that I want
so enabled, but the current situation is really awful.

Thanks,
Csaba Gabor from Vienna

sample newin.htm file (remove onclick line, and
the information-bar no longer blocks):

<html><head><title>New Window Test</title></head>
<body>
<a id='foo' target=_blank href='newin.htm'
onclick='document.links[0].href += "?bar=baz"
>Hi Mom</body></html>
Anonymous
a b 8 Security
February 15, 2005 11:44:48 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

There seems to be some very skanky stuff going on with
this security "feature." Evidently the security settings used
are the ones in the MOST RECENT INSTANCE of IE
and NOT what has just been entered into the Internet
Options panels. I never even had a fighting chance since
I almost always have several IE windows open and I was
accessing Internet Options through Control Panel and not
even a browser. It was only by accident that I went back
to check my .htm file after opening up a fresh window
that I was able to start down the road to this conclusion.

While ie's behaviour is motivated (I presume) by an
attempt to have IE load faster, security wise the exhibited
behaviour is VERY POOR since the settings shown
correspond to what has been most recently set but these
are not the settings that the running instance may be using.
Furthermore, the unsuspecting user may make some tests
and convince himself that what is happening in front of his
eyes is what will happen the next time he turns his PC off
and turns it back on again. Really shoddy, Microsoft.

As to how I could make these assertions about the forking...
When IE forks a copy of itself, all the forked versions keep
the same temporary cookies. Anyone who has multiple
emails at yahoo is sure to realize this. If he forks a copy
of the browser and logs into yahoo on one, then to another
yahoo account on the second, he will have logged himself out
of the first. This does not happen if the two instances are
started independently (for excruciating details on this topic
see my post at
http://forums.devshed.com/showthread.php?threadid=35068)

One of the oldest browser windows on my system was
logged into yahoo. So to test out my theory, I did ctrl+n
with it active to get a most recent browser window whose
origin I knew. Then I minimized it and activated another
IE instance (just to be sure I didn't give any preference
to the yahoo one). Now I brought up the windows
explorer folder with my test file and double clicked on it.
It brought up a new IE, and it failed (that is, the information
bar came up). then I typed mail.yahoo.com into its address
bar and I was looking at my mail folder in yahoo. That is to
say, I was already logged into yahoo on this newest ie instance
since I had the temporary cookies from the original yahoo
browser which got transferred via the intermediate "most recent
ie instance". Of course, there were a few other similar
experiments to confirm that.


Finally, I would add that I looked at
http://support.microsoft.com/default.aspx?scid=kb;en-us;833633
Specifically, in the last section, above the references, they
introduce a little trick to "place" a local .htm file into the internet
zone: you should claim that it CAME from the internet. Do this
by inserting the following type of comment line:
<!-- saved from url=(0026)http://www.SomeDomain.com/ -->
where that number counts the number of characters in the URL.
I would guess that this is supposed to simulate a request from
that domain on the invoking browser, but it never worked as
advertised for me. The claim was that it wouldn't do the same
nasty script supression stuff that happens with files otherwise
from the hard drive, which is exactly why I tried using this
method. I could not get it to work. At first I gave it a fake name,
because I doubted that the browser would want to spend the
time verifying that the domain existed and even if it did, it
might be unavailable, blah, blah, blah. But even when I gave
it a bone fide domain, I couldn't get it to run the content
without it wanting to abuse my wrist muscles.

Csaba Gabor from Vienna

PS. Even though the behaviour above is abysmal, I do
like the popup blocking feature of the information bar.
That part has made casual browsing much more fun, and
I have not yet noticed any negative consequences for my
own browsing behaviour.

"Csaba Gabor" <news@CsabaGabor.com> wrote in message
news:eG5Ley3EFHA.2176@TK2MSFTNGP15.phx.gbl...
> I've got Win XP Pro (with all patches) and I've written
> a simple .htm file, shown below. My IE 6 insists on
> showing me the information bar ("To help protect your
> security, Internet Explorer has restricted this file from
> showing active content that could access your computer.
> Click here for options...") each time I double click on this
> file, and it is bugging the heck out of me since it takes
> THREE ADDITIONAL clicks to actually get a file
> showing properly (even one would be too many). For
> anyone doing development work this is a horrible
> situation.
>
> If I click on the "information bar" (should be called
> content bar, since it's barring content) help, about 1/3
> of the way down it tells me that I can "stop blocking
> file and software downloads with the Information Bar"
> by going to Control Panel -> Internet Options -> Security
> tab -> select My Computer (which I've enabled to be
> shown by reading http://support.microsoft.com/?kbid=315933
> and then changing HKEY_CURRENT_USER\SOFTWARE\
> Microsoft\Windows\Current Version\Internet Settings\Zones\0\
> Flags from (hex) 21 to 47)
> Then click Custom Level. and 'under ActiveX controls and plug-ins' ->
> 'Automatic prompting for ActiveX controls' I clicked enable.
> In addition, under the Advanced tab of Internet Options,
> near the bottom under the Security section I have checked:
> Allow active content to run in files on My Computer.
> None of this has worked for me.
>
> Can someone advise me where the appropriate setting is
> to get rid of this massive annoyance. I'm even happy
> adding the list of files (or maybe a directory) that I want
> so enabled, but the current situation is really awful.
>
> Thanks,
> Csaba Gabor from Vienna
>
> sample newin.htm file (remove onclick line, and
> the information-bar no longer blocks):
>
> <html><head><title>New Window Test</title></head>
> <body>
> <a id='foo' target=_blank href='newin.htm'
> onclick='document.links[0].href += "?bar=baz"
> >Hi Mom</body></html>
Anonymous
a b 8 Security
February 16, 2005 2:10:33 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Allow active content to run in files on My Computer - Windows XP Service
Pack 2:
http://www.winxptutor.com/lmzunlock.htm


--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


"Csaba Gabor" <news@CsabaGabor.com> wrote in message
news:eG5Ley3EFHA.2176@TK2MSFTNGP15.phx.gbl...
> I've got Win XP Pro (with all patches) and I've written
> a simple .htm file, shown below. My IE 6 insists on
> showing me the information bar ("To help protect your
> security, Internet Explorer has restricted this file from
> showing active content that could access your computer.
> Click here for options...") each time I double click on this
> file, and it is bugging the heck out of me since it takes
> THREE ADDITIONAL clicks to actually get a file
> showing properly (even one would be too many). For
> anyone doing development work this is a horrible
> situation.
>
> If I click on the "information bar" (should be called
> content bar, since it's barring content) help, about 1/3
> of the way down it tells me that I can "stop blocking
> file and software downloads with the Information Bar"
> by going to Control Panel -> Internet Options -> Security
> tab -> select My Computer (which I've enabled to be
> shown by reading http://support.microsoft.com/?kbid=315933
> and then changing HKEY_CURRENT_USER\SOFTWARE\
> Microsoft\Windows\Current Version\Internet Settings\Zones\0\
> Flags from (hex) 21 to 47)
> Then click Custom Level. and 'under ActiveX controls and plug-ins' ->
> 'Automatic prompting for ActiveX controls' I clicked enable.
> In addition, under the Advanced tab of Internet Options,
> near the bottom under the Security section I have checked:
> Allow active content to run in files on My Computer.
> None of this has worked for me.
>
> Can someone advise me where the appropriate setting is
> to get rid of this massive annoyance. I'm even happy
> adding the list of files (or maybe a directory) that I want
> so enabled, but the current situation is really awful.
>
> Thanks,
> Csaba Gabor from Vienna
>
> sample newin.htm file (remove onclick line, and
> the information-bar no longer blocks):
>
> <html><head><title>New Window Test</title></head>
> <body>
> <a id='foo' target=_blank href='newin.htm'
> onclick='document.links[0].href += "?bar=baz"
>>Hi Mom</body></html>
>
>
Anonymous
a b 8 Security
February 16, 2005 5:31:06 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for that nicely written reference. I have done some
further investigations on these Win XP Service Pack 2 security
features and found some interesting results.

First of all, I have read about the
FEATURE_LocalMachine_Lockdown feature and other
features (watch the url wrapping) at
http://msdn.microsoft.com/library/default.asp?url=/work...
http://msdn.microsoft.com/library/default.asp?url=/work...
and
http://msdn.microsoft.com/security/productinfo/XPSP2/se...

This latter says (in a rather horribly worded way (and mitigated!? - who
writes that stuff?)) that if either
HKEY_LOCAL_MACHINE \Software\Microsoft \Internet Explorer\main
\FeatureControl\FEATURE_LocalMachine_Lockdown
or
HKEY_CURRENT_USER \Software\Microsoft \Internet Explorer\main
\FeatureControl\FEATURE_LocalMachine_Lockdown
are 1 then the LocalMachine zone is locked down. This has not been the case
in my testing
(and this time I tested after having rebooted with no instances of IE
running).
In particular, the value at the former location did not make a difference in
my testing.

There are two points of interest in the rest of this detailed post.
1) Marking pages and internet zones
2) Link clicking

Whenever I talk about script in the below section (or in my
previous posts on this topic, I am talking about javascript
in some form that might get executed. It does not necessarily
have to be enclosed in <script ...> tags

1) Marking pages - what can we make of it?
This is just a fancy way of putting a mark in a (.htm/.html) file
that says run me as if I came from the internet and that way
you won't get any burdensome messages saying keep clicking
here to continue.

This mark takes the form of a line somewhere within the .htm like:
<!-- saved from url=(0023)http://www.contoso.com/ -->

so at first it looks like there is some authentication going on, but
then we think that this kind of thing might not be practical. In fact,
if we check the excellent http://www.phdcc.com/xpsp2.htm
we find another example:
<!-- saved from url=(0014)about:internet -->

In fact, there are many variations on this theme. Pretty much
any combination of numbers and "page" will work, the only
difference seems to be whether IE puts them in the internet or
restricted zone. But IE seems to be pretty liberal on this point.

Things that are in the restricted zone
<!-- saved from url=(0000) -->
<!-- saved from url=(0000)trusted:site -->
<!-- saved from url=(0003)a:b -->
<!-- saved from url=(0010)noprotocol -->


Things that are in the internet zone
<!-- saved from url=(0002)x:trusted -->
<!-- saved from url=(0003)x:y -->
<!-- saved from url=(0007)what:ever -->

In particular, note that valid protocols are not needed
and the counting deficient get off pretty easily.

2a) Whenever there was a link to a valid page (whether on
disk or on the internet) or a link to an invalid internet page
(http://...), I could click or open the link in a new page.

b) If the link was to an invalid location on disk:
If the page was not marked (whether or not it had script),
then clicking on such an invalid link resulted in the browser
window showing that the page could not be displayed, whereas
right clicking to open in a new window gave me an error alert
box saying that the location was invalid and no new window
was opened.

If the page was marked however (regardless of local machine
lockdown), then clicking on the invalid link (to a local disk file)
produceed no change, nor did right clicking to open in a
new window lead to any error message or other observable
sign that a click has been attempted. In other words, it failed
silently.

Well, I have bigger fish to fry, but these points really have
not been thoroughly documented elsewhere, and coupled
with the bizarre practise of not having the security of the
browser match what is displayed, this has led to quite a bit
of time that could have better been spent elsewhere.

Csaba Gabor from Vienna


"Ramesh, MS-MVP" <ramesh@online.mvps.org> wrote in message
news:udfzon%23EFHA.2052@TK2MSFTNGP09.phx.gbl...
> Allow active content to run in files on My Computer - Windows XP Service
> Pack 2:
> http://www.winxptutor.com/lmzunlock.htm
>
>
> --
> Ramesh, Microsoft MVP
> Windows XP Shell/User
> http://windowsxp.mvps.org
>
>
> "Csaba Gabor" <news@CsabaGabor.com> wrote in message
> news:eG5Ley3EFHA.2176@TK2MSFTNGP15.phx.gbl...
>> I've got Win XP Pro (with all patches) and I've written
>> a simple .htm file, shown below. My IE 6 insists on
>> showing me the information bar ("To help protect your
>> security, Internet Explorer has restricted this file from
>> showing active content that could access your computer.
>> Click here for options...") each time I double click on this
>> file, and it is bugging the heck out of me since it takes
>> THREE ADDITIONAL clicks to actually get a file
>> showing properly (even one would be too many). For
>> anyone doing development work this is a horrible
>> situation.
>>
>> If I click on the "information bar" (should be called
>> content bar, since it's barring content) help, about 1/3
>> of the way down it tells me that I can "stop blocking
>> file and software downloads with the Information Bar"
>> by going to Control Panel -> Internet Options -> Security
>> tab -> select My Computer (which I've enabled to be
>> shown by reading http://support.microsoft.com/?kbid=315933
>> and then changing HKEY_CURRENT_USER\SOFTWARE\
>> Microsoft\Windows\Current Version\Internet Settings\Zones\0\
>> Flags from (hex) 21 to 47)
>> Then click Custom Level. and 'under ActiveX controls and plug-ins' ->
>> 'Automatic prompting for ActiveX controls' I clicked enable.
>> In addition, under the Advanced tab of Internet Options,
>> near the bottom under the Security section I have checked:
>> Allow active content to run in files on My Computer.
>> None of this has worked for me.
>>
>> Can someone advise me where the appropriate setting is
>> to get rid of this massive annoyance. I'm even happy
>> adding the list of files (or maybe a directory) that I want
>> so enabled, but the current situation is really awful.
>>
>> Thanks,
>> Csaba Gabor from Vienna
>>
>> sample newin.htm file (remove onclick line, and
>> the information-bar no longer blocks):
>>
>> <html><head><title>New Window Test</title></head>
>> <body>
>> <a id='foo' target=_blank href='newin.htm'
>> onclick='document.links[0].href += "?bar=baz"
>>>Hi Mom</body></html>
>>
>>
>
!