IE in XP SP2 (Part 4): Opting-in to IE Security Features
Many of the security features I've mentioned in previous entries are opt-in, so if you have a custom application that hosts the web browser control you won't automatically be impacted by them. But what about the many great applications that host the web browser control, such as MyIE2, Avant Browser, or iRider? In those cases the developer may want to turn on some or all of the new security features during install. Advanced users can do this too.
The easiest way to enable the IE security features for an application is to use the "FeatureControl" registry keys described on the XP SP2 RC1 Preview site, with a more complete list on MSDN. As an example, lets say you use MyIE2 and want to opt-in to the Information Bar, block non-user-initiated file downloads, block ActiveX install prompts, and lock down the Local Machine Zone. Use regedit to set the following values:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]"MyIE.exe"=dword:00000001[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL]"MyIE.exe"=dword:00000001[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]"MyIE.exe"=dword:00000001[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]"MyIE.exe"=dword:00000001
You can also add these in HKLM if you want them to affect all users. After adding these registry keys restart MyIE and navigate to a web site that tries to do one of these things... Information Bar!
Similarly, let's say that you work in a company that has a mission critical application built on IE that is broken because of one of these security features. Using the same technique you can selectively disable them for the iexplore.exe or explorer.exe processes until you are able to update the application.
Curiously, in writing this blog I discovered that Avant Browser is also named "iexplore.exe", so by default it will inherit all of the IE security features. So is that a feature or a bug?
Reminder: This is preliminary information and subject to change. This isn't official documentation, just stuff I think people will find interesting.
Comments
Anonymous
March 31, 2004
Is there a wild-card application name which could be used to enable these by default for everything which uses IE?Anonymous
April 03, 2004
"Curiously, in writing this blog I discovered that Avant Browser is also named "iexplore.exe", so by default it will inherit all of the IE security features. So is that a feature or a bug?"
It's a... err... feature. It was renamed iexplore.exe from avant.exe to workaround some compatibility issues with (apparently) some Sun Java plug-ins, which only worked with iexplore.exe (that's what the developer said, at least). In this case, it's a feature, by chance.Anonymous
June 04, 2004
Interesting. I tried a few experiments with removing the DWORDs for "iexplore.exe" [eg. FEATURE_SECURITYBAND], yet changing these values in the registry did nothing to change IEs features.
It was only when I changed the values at "HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew WindowsAllow" on my machine that I was able to turn on and off the popup blocker and the information bar.
Am I missing something here because changing the 'FeatureControl' registry keys doesn't seem to do anything on my machine.Anonymous
June 04, 2004
D'oh... I didn't mean to include the "Allow" key in my registry key structure.Anonymous
June 04, 2004
Geoff, deleting the keys may not be sufficient because there are internal defaults. Change the values from 1 to 0 or override in HKCU and you should have better luck.
If you just want to turn off the features for yourself, several of these like the information bar (for downloads and ActiveX) and pop-up blocker can be turned off through the zone settings UI.Anonymous
February 27, 2007
Summary XP SP2 is especially tough on content running in the Local Machine Zone (meaning html files runningAnonymous
June 23, 2008
PingBack from http://christian.sattexclusive.com/regeditinformationbar.html