IE Disinformation bar woes

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I've got Win XP Pro (with all patches) and I've written
a simple .htm file, shown below. My IE 6 insists on
showing me the information bar ("To help protect your
security, Internet Explorer has restricted this file from
showing active content that could access your computer.
Click here for options...") each time I double click on this
file, and it is bugging the heck out of me since it takes
THREE ADDITIONAL clicks to actually get a file
showing properly (even one would be too many). For
anyone doing development work this is a horrible
situation.

If I click on the "information bar" (should be called
content bar, since it's barring content) help, about 1/3
of the way down it tells me that I can "stop blocking
file and software downloads with the Information Bar"
by going to Control Panel -> Internet Options -> Security
tab -> select My Computer (which I've enabled to be
shown by reading http://support.microsoft.com/?kbid=315933
and then changing HKEY_CURRENT_USER\SOFTWARE\
Microsoft\Windows\Current Version\Internet Settings\Zones\0\
Flags from (hex) 21 to 47)
Then click Custom Level. and 'under ActiveX controls and plug-ins' ->
'Automatic prompting for ActiveX controls' I clicked enable.
In addition, under the Advanced tab of Internet Options,
near the bottom under the Security section I have checked:
Allow active content to run in files on My Computer.
None of this has worked for me.

Can someone advise me where the appropriate setting is
to get rid of this massive annoyance. I'm even happy
adding the list of files (or maybe a directory) that I want
so enabled, but the current situation is really awful.

Thanks,
Csaba Gabor from Vienna

sample newin.htm file (remove onclick line, and
the information-bar no longer blocks):

<html><head><title>New Window Test</title></head>
<body>
<a id='foo' target=_blank href='newin.htm'
onclick='document.links[0].href += "?bar=baz"
>Hi Mom</body></html>
3 answers Last reply
More about disinformation woes
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    There seems to be some very skanky stuff going on with
    this security "feature." Evidently the security settings used
    are the ones in the MOST RECENT INSTANCE of IE
    and NOT what has just been entered into the Internet
    Options panels. I never even had a fighting chance since
    I almost always have several IE windows open and I was
    accessing Internet Options through Control Panel and not
    even a browser. It was only by accident that I went back
    to check my .htm file after opening up a fresh window
    that I was able to start down the road to this conclusion.

    While ie's behaviour is motivated (I presume) by an
    attempt to have IE load faster, security wise the exhibited
    behaviour is VERY POOR since the settings shown
    correspond to what has been most recently set but these
    are not the settings that the running instance may be using.
    Furthermore, the unsuspecting user may make some tests
    and convince himself that what is happening in front of his
    eyes is what will happen the next time he turns his PC off
    and turns it back on again. Really shoddy, Microsoft.

    As to how I could make these assertions about the forking...
    When IE forks a copy of itself, all the forked versions keep
    the same temporary cookies. Anyone who has multiple
    emails at yahoo is sure to realize this. If he forks a copy
    of the browser and logs into yahoo on one, then to another
    yahoo account on the second, he will have logged himself out
    of the first. This does not happen if the two instances are
    started independently (for excruciating details on this topic
    see my post at
    http://forums.devshed.com/showthread.php?threadid=35068)

    One of the oldest browser windows on my system was
    logged into yahoo. So to test out my theory, I did ctrl+n
    with it active to get a most recent browser window whose
    origin I knew. Then I minimized it and activated another
    IE instance (just to be sure I didn't give any preference
    to the yahoo one). Now I brought up the windows
    explorer folder with my test file and double clicked on it.
    It brought up a new IE, and it failed (that is, the information
    bar came up). then I typed mail.yahoo.com into its address
    bar and I was looking at my mail folder in yahoo. That is to
    say, I was already logged into yahoo on this newest ie instance
    since I had the temporary cookies from the original yahoo
    browser which got transferred via the intermediate "most recent
    ie instance". Of course, there were a few other similar
    experiments to confirm that.


    Finally, I would add that I looked at
    http://support.microsoft.com/default.aspx?scid=kb;en-us;833633
    Specifically, in the last section, above the references, they
    introduce a little trick to "place" a local .htm file into the internet
    zone: you should claim that it CAME from the internet. Do this
    by inserting the following type of comment line:
    <!-- saved from url=(0026)http://www.SomeDomain.com/ -->
    where that number counts the number of characters in the URL.
    I would guess that this is supposed to simulate a request from
    that domain on the invoking browser, but it never worked as
    advertised for me. The claim was that it wouldn't do the same
    nasty script supression stuff that happens with files otherwise
    from the hard drive, which is exactly why I tried using this
    method. I could not get it to work. At first I gave it a fake name,
    because I doubted that the browser would want to spend the
    time verifying that the domain existed and even if it did, it
    might be unavailable, blah, blah, blah. But even when I gave
    it a bone fide domain, I couldn't get it to run the content
    without it wanting to abuse my wrist muscles.

    Csaba Gabor from Vienna

    PS. Even though the behaviour above is abysmal, I do
    like the popup blocking feature of the information bar.
    That part has made casual browsing much more fun, and
    I have not yet noticed any negative consequences for my
    own browsing behaviour.

    "Csaba Gabor" <news@CsabaGabor.com> wrote in message
    news:eG5Ley3EFHA.2176@TK2MSFTNGP15.phx.gbl...
    > I've got Win XP Pro (with all patches) and I've written
    > a simple .htm file, shown below. My IE 6 insists on
    > showing me the information bar ("To help protect your
    > security, Internet Explorer has restricted this file from
    > showing active content that could access your computer.
    > Click here for options...") each time I double click on this
    > file, and it is bugging the heck out of me since it takes
    > THREE ADDITIONAL clicks to actually get a file
    > showing properly (even one would be too many). For
    > anyone doing development work this is a horrible
    > situation.
    >
    > If I click on the "information bar" (should be called
    > content bar, since it's barring content) help, about 1/3
    > of the way down it tells me that I can "stop blocking
    > file and software downloads with the Information Bar"
    > by going to Control Panel -> Internet Options -> Security
    > tab -> select My Computer (which I've enabled to be
    > shown by reading http://support.microsoft.com/?kbid=315933
    > and then changing HKEY_CURRENT_USER\SOFTWARE\
    > Microsoft\Windows\Current Version\Internet Settings\Zones\0\
    > Flags from (hex) 21 to 47)
    > Then click Custom Level. and 'under ActiveX controls and plug-ins' ->
    > 'Automatic prompting for ActiveX controls' I clicked enable.
    > In addition, under the Advanced tab of Internet Options,
    > near the bottom under the Security section I have checked:
    > Allow active content to run in files on My Computer.
    > None of this has worked for me.
    >
    > Can someone advise me where the appropriate setting is
    > to get rid of this massive annoyance. I'm even happy
    > adding the list of files (or maybe a directory) that I want
    > so enabled, but the current situation is really awful.
    >
    > Thanks,
    > Csaba Gabor from Vienna
    >
    > sample newin.htm file (remove onclick line, and
    > the information-bar no longer blocks):
    >
    > <html><head><title>New Window Test</title></head>
    > <body>
    > <a id='foo' target=_blank href='newin.htm'
    > onclick='document.links[0].href += "?bar=baz"
    > >Hi Mom</body></html>
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Allow active content to run in files on My Computer - Windows XP Service
    Pack 2:
    http://www.winxptutor.com/lmzunlock.htm


    --
    Ramesh, Microsoft MVP
    Windows XP Shell/User
    http://windowsxp.mvps.org


    "Csaba Gabor" <news@CsabaGabor.com> wrote in message
    news:eG5Ley3EFHA.2176@TK2MSFTNGP15.phx.gbl...
    > I've got Win XP Pro (with all patches) and I've written
    > a simple .htm file, shown below. My IE 6 insists on
    > showing me the information bar ("To help protect your
    > security, Internet Explorer has restricted this file from
    > showing active content that could access your computer.
    > Click here for options...") each time I double click on this
    > file, and it is bugging the heck out of me since it takes
    > THREE ADDITIONAL clicks to actually get a file
    > showing properly (even one would be too many). For
    > anyone doing development work this is a horrible
    > situation.
    >
    > If I click on the "information bar" (should be called
    > content bar, since it's barring content) help, about 1/3
    > of the way down it tells me that I can "stop blocking
    > file and software downloads with the Information Bar"
    > by going to Control Panel -> Internet Options -> Security
    > tab -> select My Computer (which I've enabled to be
    > shown by reading http://support.microsoft.com/?kbid=315933
    > and then changing HKEY_CURRENT_USER\SOFTWARE\
    > Microsoft\Windows\Current Version\Internet Settings\Zones\0\
    > Flags from (hex) 21 to 47)
    > Then click Custom Level. and 'under ActiveX controls and plug-ins' ->
    > 'Automatic prompting for ActiveX controls' I clicked enable.
    > In addition, under the Advanced tab of Internet Options,
    > near the bottom under the Security section I have checked:
    > Allow active content to run in files on My Computer.
    > None of this has worked for me.
    >
    > Can someone advise me where the appropriate setting is
    > to get rid of this massive annoyance. I'm even happy
    > adding the list of files (or maybe a directory) that I want
    > so enabled, but the current situation is really awful.
    >
    > Thanks,
    > Csaba Gabor from Vienna
    >
    > sample newin.htm file (remove onclick line, and
    > the information-bar no longer blocks):
    >
    > <html><head><title>New Window Test</title></head>
    > <body>
    > <a id='foo' target=_blank href='newin.htm'
    > onclick='document.links[0].href += "?bar=baz"
    >>Hi Mom</body></html>
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks for that nicely written reference. I have done some
    further investigations on these Win XP Service Pack 2 security
    features and found some interesting results.

    First of all, I have read about the
    FEATURE_LocalMachine_Lockdown feature and other
    features (watch the url wrapping) at
    http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/reference/enums/INTERNETFEATURELIST.asp
    http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/overview.asp
    and
    http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/locallockdown.aspx

    This latter says (in a rather horribly worded way (and mitigated!? - who
    writes that stuff?)) that if either
    HKEY_LOCAL_MACHINE \Software\Microsoft \Internet Explorer\main
    \FeatureControl\FEATURE_LocalMachine_Lockdown
    or
    HKEY_CURRENT_USER \Software\Microsoft \Internet Explorer\main
    \FeatureControl\FEATURE_LocalMachine_Lockdown
    are 1 then the LocalMachine zone is locked down. This has not been the case
    in my testing
    (and this time I tested after having rebooted with no instances of IE
    running).
    In particular, the value at the former location did not make a difference in
    my testing.

    There are two points of interest in the rest of this detailed post.
    1) Marking pages and internet zones
    2) Link clicking

    Whenever I talk about script in the below section (or in my
    previous posts on this topic, I am talking about javascript
    in some form that might get executed. It does not necessarily
    have to be enclosed in <script ...> tags

    1) Marking pages - what can we make of it?
    This is just a fancy way of putting a mark in a (.htm/.html) file
    that says run me as if I came from the internet and that way
    you won't get any burdensome messages saying keep clicking
    here to continue.

    This mark takes the form of a line somewhere within the .htm like:
    <!-- saved from url=(0023)http://www.contoso.com/ -->

    so at first it looks like there is some authentication going on, but
    then we think that this kind of thing might not be practical. In fact,
    if we check the excellent http://www.phdcc.com/xpsp2.htm
    we find another example:
    <!-- saved from url=(0014)about:internet -->

    In fact, there are many variations on this theme. Pretty much
    any combination of numbers and "page" will work, the only
    difference seems to be whether IE puts them in the internet or
    restricted zone. But IE seems to be pretty liberal on this point.

    Things that are in the restricted zone
    <!-- saved from url=(0000) -->
    <!-- saved from url=(0000)trusted:site -->
    <!-- saved from url=(0003)a:b -->
    <!-- saved from url=(0010)noprotocol -->


    Things that are in the internet zone
    <!-- saved from url=(0002)x:trusted -->
    <!-- saved from url=(0003)x:y -->
    <!-- saved from url=(0007)what:ever -->

    In particular, note that valid protocols are not needed
    and the counting deficient get off pretty easily.

    2a) Whenever there was a link to a valid page (whether on
    disk or on the internet) or a link to an invalid internet page
    (http://...), I could click or open the link in a new page.

    b) If the link was to an invalid location on disk:
    If the page was not marked (whether or not it had script),
    then clicking on such an invalid link resulted in the browser
    window showing that the page could not be displayed, whereas
    right clicking to open in a new window gave me an error alert
    box saying that the location was invalid and no new window
    was opened.

    If the page was marked however (regardless of local machine
    lockdown), then clicking on the invalid link (to a local disk file)
    produceed no change, nor did right clicking to open in a
    new window lead to any error message or other observable
    sign that a click has been attempted. In other words, it failed
    silently.

    Well, I have bigger fish to fry, but these points really have
    not been thoroughly documented elsewhere, and coupled
    with the bizarre practise of not having the security of the
    browser match what is displayed, this has led to quite a bit
    of time that could have better been spent elsewhere.

    Csaba Gabor from Vienna


    "Ramesh, MS-MVP" <ramesh@online.mvps.org> wrote in message
    news:udfzon%23EFHA.2052@TK2MSFTNGP09.phx.gbl...
    > Allow active content to run in files on My Computer - Windows XP Service
    > Pack 2:
    > http://www.winxptutor.com/lmzunlock.htm
    >
    >
    > --
    > Ramesh, Microsoft MVP
    > Windows XP Shell/User
    > http://windowsxp.mvps.org
    >
    >
    > "Csaba Gabor" <news@CsabaGabor.com> wrote in message
    > news:eG5Ley3EFHA.2176@TK2MSFTNGP15.phx.gbl...
    >> I've got Win XP Pro (with all patches) and I've written
    >> a simple .htm file, shown below. My IE 6 insists on
    >> showing me the information bar ("To help protect your
    >> security, Internet Explorer has restricted this file from
    >> showing active content that could access your computer.
    >> Click here for options...") each time I double click on this
    >> file, and it is bugging the heck out of me since it takes
    >> THREE ADDITIONAL clicks to actually get a file
    >> showing properly (even one would be too many). For
    >> anyone doing development work this is a horrible
    >> situation.
    >>
    >> If I click on the "information bar" (should be called
    >> content bar, since it's barring content) help, about 1/3
    >> of the way down it tells me that I can "stop blocking
    >> file and software downloads with the Information Bar"
    >> by going to Control Panel -> Internet Options -> Security
    >> tab -> select My Computer (which I've enabled to be
    >> shown by reading http://support.microsoft.com/?kbid=315933
    >> and then changing HKEY_CURRENT_USER\SOFTWARE\
    >> Microsoft\Windows\Current Version\Internet Settings\Zones\0\
    >> Flags from (hex) 21 to 47)
    >> Then click Custom Level. and 'under ActiveX controls and plug-ins' ->
    >> 'Automatic prompting for ActiveX controls' I clicked enable.
    >> In addition, under the Advanced tab of Internet Options,
    >> near the bottom under the Security section I have checked:
    >> Allow active content to run in files on My Computer.
    >> None of this has worked for me.
    >>
    >> Can someone advise me where the appropriate setting is
    >> to get rid of this massive annoyance. I'm even happy
    >> adding the list of files (or maybe a directory) that I want
    >> so enabled, but the current situation is really awful.
    >>
    >> Thanks,
    >> Csaba Gabor from Vienna
    >>
    >> sample newin.htm file (remove onclick line, and
    >> the information-bar no longer blocks):
    >>
    >> <html><head><title>New Window Test</title></head>
    >> <body>
    >> <a id='foo' target=_blank href='newin.htm'
    >> onclick='document.links[0].href += "?bar=baz"
    >>>Hi Mom</body></html>
    >>
    >>
    >
Ask a new question

Read More

Internet Explorer Security Windows XP