Download signed
ActiveX controls.
Being signed by a certifying authority is an indication that
an ActiveX control should be safe and as such you
should be comfortable setting this to Enable unless
you have no desire for any ActiveX controls on your system
in which case select Disable or Prompt so you
can select to download it for certain websites, e.g.
Windows Update, &
Shockwave Flash.
Download
unsigned ActiveX controls.
Unsigned ActiveX controls can be much more of a potential
security risk than signed ones & as such should certainly
not be set to Enable, rather leave this set to
Disable or Prompt for improved security, only
allowing controls to be downloaded on site you know can be
trusted.
Initialize &
script ActiveX controls not marked as safe.
Similar to the previous option, if you’ve set the above to
Disable set this to Disable also, otherwise
set this to Prompt (recommended) or Enable
(not recommended) instead to allow such unsigned controls to
be run.
Run ActiveX
controls and plug-ins.
Assuming you don’t accept every ActiveX control/plug-in you
come across you should be relatively safe setting this to
Prompt or Administrator approved. I wouldn’t
recommend selecting Enable though unless you have
only Download signed ActiveX controls set to
Enable or Download unsigned ActiveX controls to
Disable. If you’ve not accepted any ActiveX control
downloads you can set this to Disable.
Script ActiveX
controls marked safe for scripting.
Similar to the previous option if you have that set to
Enable/Administrator approved or Prompt
then you should set this option accordingly. These will pose
less of a risk than unsafe controls & you shouldn’t need to
set this to Disable at all.
File download.
Setting this to Disable disables the
downloading of files in the security zone. Attempting to do
so will result in the following error being displayed.
Setting this to
Enable will allow downloading of files as normal in
the security zone, as such this is perhaps best suited to
the Restricted sites zone.
Access data
sources across domains.
This option sets how MSXML (EXtensible Markup
Language) accesses data across the various security
zones. The default settings for this are sufficiently
secure however, that being Internet – Disable,
Local intranet – Prompt, Trusted sites
– Enable & Restricted sites – Disable.
For more detailed information regarding this option check
MSDN's XML Client Security
article.
Allow META
REFRESH.
The meta refresh html tag allows a webpage to be reloaded or
(more commonly) redirects to another webpage. While
this may seem innocent enough, e.g. our
Forums (and others) use
this tag to redirect you the thread where you posted a
comment/reply to – heck, even
Gibson Research Corporation
uses it, it’s also associated with many security
vulnerabilities as it can allow them to be auto-executed. As
such it would be advisable to set this to Disable.
See further down for how to minimize the adverse effects on
convenience this can have, e.g. Forums reloading a thread
after you post a comment/reply.
Allow scripting
of Internet Explorer Webbrowser control.
In the past several IE vulnerabilities have exploited the
Webbrowser control, as such you should check this is set to
Disable.
Active
scripting.
One of the most popular ways of exploiting IE6 is via
scripting, though many legitimate websites use scripting,
e.g.
Windows Update. While
setting this to Disable will significantly aid in
securing IE6 it also will have a noticeable effect on
website functionality, e.g. Windows Update will not
function. Perhaps one beneficial affect though is
pop-up/under windows will not appear at all. It’s worth
noting that this (Disabling Active Scripting) is recommended
by many security experts, e.g. Georgi Guninski.
Allow paste
operations via script.
This feature allows webpages that script DHTML to paste the
contents of your clipboard, which obviously should be a
rather serious issue for most of you. As such it is strongly
recommended you set this to Disable, as an added
bonus this will have zero effect on
functionality/compatibility.
Scripting of
Java applets.
JavaScript is an open, cross-platform object scripting
language (not to be confused with Sun’s
Java) and much like the
Active Scripting option above also represents a big enough
potential security risk, as such it is recommended you set
this to Disable or Prompt.
Once you have
made these changes select the Ok button then select
Yes when prompted.
As indicated,
adjusting these options has varying functionality issues.
These can be compensated by adding sites to different
content zones, e.g. if you want certain trusted sites to
have less restrictions then add them to the Trusted sites
zone, on the other hand if you want to lock down certain
sites then the Restricted sites zone would be far
more appropriate. To add a site to a specific zone, select
the zone then press the Sites button.
Simply insert
the address of the site into the Add this Web site to the
zone field & select the Add button to add the
site. These can be deleted in the future using the Remove
button.
Require server
verification (https:) for all sites in this zone.
Selecting this option specifies that IE6 should
verify you are connecting to a secure site before applying
the Trusted zone restrictions to the site. This isn’t
entirely necessary of course.
