Fix My Settings in IE7

Hi, this is Max and Uche from the user experience team. We want to talk to you about what we call the Fix My Settings feature. You will encounter this if you set your security settings to an insecure state whilst in the Internet or Restricted zone. When you choose an insecure setting two things will happen:

  • An information bar will appear at the top of the browser with ‘Fix Settings for Me’ as the first menu option.
  • In place of your homepage, you will see a warning page on startup of IE.

Fix My Settings Prompt

We want to talk about some of the feedback that we’ve received about this feature. It primarily consists of the following three questions:

  • Why does IE continually remind me of my security settings?
  • How do I know which settings will leave me in an insecure state?
  • Are there any ways to get around the reminders?

Why does IE continually remind me of my security settings?

Our main goal is to give you an easy way to know that something is wrong with your browser security settings. To make it easy for you to fix this, we provide a one click method that restores all the relevant settings to their secure default value. By providing constant reminders, our goal is to encourage you to fix your settings as soon as possible.  The sooner you do this, the less opportunity malicious software has to get a foot hold on your machine and the more secure your browsing experience will be.

How do I know which settings will leave me an insecure state?

We decided that when you’re browsing in the Internet or Restricted zone, any settings that would allow arbitrary code to run on your computer without your consent could potentially put your computer at risk. You can identify these settings as the ones with (not secure) or (recommended) appended to the text in the security zone settings.

Settings Recommendation

Are there any ways to get around the reminders?

This feature can be controlled using Group Policy but we do not provide a way in the user interface of turning off this feature. This is because putting your security settings at a non-recommended level has been one of the most common vectors of attack for spy ware in the past. Users of older versions of IE often put their computers at risk temporarily to avoid application compatibility issues with other applications and would then forget to set their security settings back to the recommended level. Spyware would then use this opportunity to effectively take over the computer. Although we want to continue to provide the ability to set your settings to a level that allows you to work with other applications, we also want to prevent you from keeping your settings in an insecure state for a long period of time in order to reduce the attack surface area that spyware has on your computer.

Conclusion

In summary, Fix My Settings is designed for two purposes:

  • To inform you when their browser is insecure
  • To provide an easy way for you to fix their security settings

Fix My Settings modifies any security setting that could allow arbitrary code to run without your consent. These are identified by (not secure) and (recommended) attached to the settings in both the Internet and the Restricted zone.

This feature can be controlled using Group Policy but we do not provide a way in the user interface for users to turn this feature off in order to maintain as secure a browsing experience as possible.

We hope you find this information useful and as always feedback is welcomed.

 - Max and Uche

Comments

  • Anonymous
    March 08, 2006
    If I read this correctly it comes up every time you start IE?

    Power users and devs need to be able to turn it off without group policy like a dont remind me again.

  • Anonymous
    March 08, 2006
    Add an option to disable notification bars all together (IE's javascript error icon in the status bar is a good model for this if you still want to notify users of an error/warning). I disable java/ActiveX in IE5 and it constantly gives me message boxes about not being able to display the page as the author intended.

    Firefox annoyingly ripped IE's notification bars off and since I don't want to install plugins, notification bars constantly appear which shifts the page down. But if you know what you're doing, you can edit browser.js to not make the bar appear at all (and also to make clicking on a plugin placeholder do nothing instead of trying to download the plugin).

  • Anonymous
    March 08, 2006
    Thank you, Nanny, but I think it quite wrong to make it troublesome for the user to set the security level required in different circumstances.

    The example you give is particularly relevant.

    I have 'initialize and script active X controls not marked as safe for scripting' set to prompt in Internet zone, for one good reason:

    XP Home, SP2, all updates. If you try to use any of the troubleshooters when in device manager/any device/properties, the troubleshooter won't run properly if that setting is set to disabled (you get a message that an active X control has been prevented from running). Set to prompt, you get a message that an active X control that might be unsafe is trying to run, and you can choose whether or not to let it.

    So until Microsoft marks its own active X controls in XP as safe for scripting I'll keep it at prompt, and deny if it's from somewhere I don't trust and accept otherwise.

  • Anonymous
    March 08, 2006
    The comment has been removed

  • Anonymous
    March 08, 2006
    JRosenfeld: I just tried out some troubleshooters and didn't have any problems.  (I have the setting set to "Disable".)  For you, is the troubleshooter showing up in the Help & Support window, or is it showing up in an IE window?  (It should be in a H&S window.)

  • Anonymous
    March 08, 2006
    I hate this setting. You beat us to death with the warning. We are users not sheep. If we mess it up then so be it.

  • Anonymous
    March 08, 2006
    PingBack from http://blog.windowsobserver.com/2006/03/08/internet-explorer-7-fix-my-settings/

  • Anonymous
    March 08, 2006
    JRosenfeld, keeping it at prompt is ok, this won't invoke the security warnings described above.  Only if you actually set it (or any other security setting) to the option described as "(not secure)" will the security warnings start occuring.

  • Anonymous
    March 08, 2006
    There is something wrong to my mind with allowing the settings to be broken. If you're saying you're going to fix things then that means that they are broken. Wouldn't it be better to not allow them to break in the first place ?

    Or, better still, call them what they are - "Insecure settings" - and don't imply to the user that something magical 'broke' the system and that it needs to be fixed. Don't say that you're fixing something if you've left the option available for someone to change. That tells the user that they should never do anything because they will break things. Change the message to say "Make my settings more secure". Inform the user of potential problems and don't lie to them - the settings are not broken. They're just less secure than they might be.

    I believe there's a lyric that applies - if "you can break it, it's already broken".

  • Anonymous
    March 08, 2006
    The comment has been removed

  • Anonymous
    March 08, 2006
    Seems like most want to be able to get around this setting; that is until they mess it up and then the old blame game goes to Microsoft.

  • Anonymous
    March 08, 2006
    The comment has been removed

  • Anonymous
    March 08, 2006
    So, why would IE allow choosing unsafe settings for web browsing?

  • Anonymous
    March 08, 2006
    Great feature. As a "power user" I could live without it, but for people like my mum and dad (both already retired) this is very, very useful. They don't know anything about scripting or ActiveX and cannot decide which setting is safe and which is not.


    BTW, the red background for unsecure settings in the security tab is a good hint, too, to see which item are currently set to an unsecure value.

  • Anonymous
    March 08, 2006
    ***It's very concerning to see all this info about disabling ActiveX controls but nothing about the status of .NET controls.  Can we please have some background about the ongoing support of these?

  • Anonymous
    March 08, 2006
    Why don't you guys call it
    "Secure my settings"
    in stead of
    "Fix my settings"

    It isn't really fixing anything.

  • Anonymous
    March 08, 2006
    I seriously don't want any more popups suggesting that I don't know what I'm doing.

    "1. Why does IE continually remind me of my security settings?"
    "2. How do I know which settings will leave me in an insecure state?"
    "3. Are there any ways to get around the reminders?"

    translation:

    1. Why does IE continually tell me it doesn't work properly?
    2. How many options will I have to turn off?
    3. We won't give you any choices, we know what you want, don't question us.

    Please, don't take options away from the users, it's like taking my keys and telling me I shouldn't be driving a car.

  • Anonymous
    March 08, 2006
    The comment has been removed

  • Anonymous
    March 08, 2006
    The comment has been removed

  • Anonymous
    March 08, 2006
    Sounds Reasonable; even as a power user I've occasionally left my browser insecure after testing something so I'll be happy to leave this on my personal machine.

    As for development work (I actually find your generally doing something wrong if you have to lower your security settings to get something to work in development) well use the policy setting - I mean that should be easy for a real power user - right?

  • Anonymous
    March 08, 2006
    The comment has been removed

  • Anonymous
    March 08, 2006
    What you think about security Outpost Firewall?

  • Anonymous
    March 08, 2006
    Some of you posting seem to forget that if you trust a site to be doing these programs that they should be added to the Trusted Zone list on a case-by-case basis rather than changing security for the entire Internet and Restricted Zones... stop whining about the IE Team doing their job to INCREASE SECURITY and protect users.

  • Anonymous
    March 08, 2006
    The comment has been removed

  • Anonymous
    March 09, 2006
    Thanks so much for informing all of us in such and early stage. We now all know that IE 7 will never become a feasible alternative for the superior browsers Opera and Firefox. The latter applications assume a certain level of intelligence in their users and act accordingly.

  • Anonymous
    March 09, 2006
    Xepol   you say  that but then when you get spyware/malware/viruses onto your system through IE, you will blame IE for being insecure when it was your fault for disabling the security features.

    It is a tough spot to be in.

    If you give the user an option to disable a security feature you also give the bad software the option to get around your security.

  • Anonymous
    March 09, 2006
    In IE6, if a page uses any JavaScript, and if that page is loaded from a local device, that triggers a security warning. How does the "Fix My Settings" thing (I can't call it a feature!) affect local zone pages? Does it affect that at all? If the security warning of IE6 is reproduced in IE7, IE7 is unusable. IE6 needs to differentiate between scripts that include unsafe operations versus those that don't.

  • Anonymous
    March 09, 2006
    You aren't addressing the real problem.  IE should stop relying on Active X controls.  Other browsers don't use the insecure Active X controls in their implementations.  You should learn from the makers of Firefox instead of keeping in the same failed direction.

    I have to view pages I design in IE, but as long as IE continues to have irritating warning messages popping up, I will use other browsers for my regular browsing.

  • Anonymous
    March 09, 2006
    Xepol, you might not need to be nagged, but the very fact that you read and comment on this blog indicates that you're computer-savvy.

    The VAST, VAST majority of IE users won't have a CLUE about security or anything like that. So nagging them and spelling it out for them to make it absolutely clear is definitely a good thing.

    Why on earth that would "alienate" you or drive you to use Firefox, I don't know...

  • Anonymous
    March 09, 2006
    If there is a GPO setting to turn this on and off, there is a registry setting to turn this on and off. If I am a "real" power user I would know this and make the poke and be done with it. Just like I have by having IE download PDF's instead of opening (thanks Adobe for a very yucky default setting), or like I have enabled IE to download more than two files at once, and queue a third. Power User should know how things work, and be to resolve a problem like a mechanic, pop open the hood get the tools and go to work, not sit and whine that the oil is dirty, ewwwww.

  • Anonymous
    March 09, 2006
    I understand that you are trying to make it more secure as many new computer users are now getting a computer and exploring the Internet. However, I've used a computer since I was in 5th Grade (let's just say more than 10 years), and I know when I am at risk and when I am not. I think what I'm getting at is you could have two different levels of settings:
    +Power/Advanced User Interface: You don't get irritating warnings and things blocked that you don't want and then get bothered. It's like you forcing us to wear a certain color of clothing. "This looks better on you; you'll get more dates this way. Wear this. We know what's best." Yes, unfortunately, I know what is best, too, and I usually never follow that standard. We know not to speed, but do we?...

    Then the other mode would be:
    +Standard Security Settings or something along those lines. When you select the advanced/power user, a warning can come up saying you are potentially putting your system at risk indefinitely. Just warn us. Isn't that what Windows used to do? System Restore: When you turn it off, it says, "Are you sure? You won't be able to roll back!" ... Isn't that all we need? If we're determined, we'll do it, but having to go through more steps is a pain in the...

  • Anonymous
    March 09, 2006
    Surely power users would just use the Local Policy MMC to change the setting to what they wanted, anyway?

    I think this feature is a great idea!

    The ignorant need to be saved from themselves.

  • Anonymous
    March 09, 2006
    When I accidentally click on fix my settings (cause you know, this will happen a lot)...

    It will provide a dialog for confirmation, correct?

    (read: It certainly better!)

  • Anonymous
    March 09, 2006
    PingBack from http://minkeytorture.org/2006/03/09/attention-to-armor/

  • Anonymous
    March 09, 2006
    Here's an idea / solution for the settings fiasco this WILL cause:

    User Setting Context.

    Allow a user to have different modes of settings, be it, General User, Advanced User, and Power User.

    The first two would probably encompass the masses and then some, while allowing a full range of options for developers and truly knowledge users to set security settings and reminders to something that's more comfortable to tolerate.

    I HATE being bombarded with the infobar when I already know what's going on, and I'm well aware of my settings.  It'd be nice to just disable all these "security" features so that I can browse, test, and debug pages without being warned EVERY FRICKIN' TIME about a license, script, what have you.

    Give power to all users, please!

    P.S.  Any word on a fix for debugging ASP.NET apps with IE 7?  When I'm in a breakpoint, I notice that if I'm in there too long, IE will "timeout" instead of waiting for the page to respond again, like IE 6.x did.  Any workaround / option for this?

  • Anonymous
    March 09, 2006
    Why not just allow a "don't remind me again this session" that temporarily removes the restriction but reverts to the default when you close the browser (or perhaps navigate away from the current domain). Or at least let us get rid of the warnings by adding the site/domain to Trusted Sites!

  • Anonymous
    March 09, 2006
    The comment has been removed

  • Anonymous
    March 09, 2006
    "Problem solved, I don't need to be nagged constantly."

    I ...

    That's the error in your reasoning.

  • Anonymous
    March 09, 2006
    "we also want to prevent you"

    That's the error in the IE Team's reasoning.

  • Anonymous
    March 09, 2006
    "we also want to prevent you"

    That's the error in the IE Team's reasoning.

    ---

    No it's not, because you is not you.

  • Anonymous
    March 09, 2006
    If you seeeee that pop up,just click the "disable" and forget...Isn't it easy?
    Do not complain like kids!

  • Anonymous
    March 09, 2006
    Yes I am.

    <_<

  • Anonymous
    March 09, 2006
    I just recently updated my internet explorer to 7 and now my internet favorites while in MSN premium no longer work? Anyone know why and how to fix?

    thanks,

    Steve D

  • Anonymous
    March 09, 2006
    It's a fact, most users need to be protected from themselves. However if I know what I am doing i'd like to not be nagged.

  • Anonymous
    March 09, 2006
    Isn't funny how these "experts" on here are too obtuse to understand that IF YOU WANT A SPECIFIC SITE TO RUN CODE ON YOUR MACHINE, ADD TO THE TRUSTED ZONE.

    The new feature introduced here is about code coming from the internet zone.

    You people who b---h and moan claim to be so saavy, yet can't seem to master reading comprehension.

  • Anonymous
    March 09, 2006
    Again,

    "Secure my settings for me..." - NOT FIX; implies IE7 is breakable and is not secure enough

    Like Protected mode that is turned on by default, I have to comend you again on security; this time you do not even provide a way to turn it off!
    1- This woudl reminde developers to program better
    2- Instill caution in users

    :) See, you've made me smile...

  • Anonymous
    March 09, 2006
    I think this is a step in the right direction. The majority (all?) of the posters here are power users and simply don't (or can't...) understand what an average user is. And what he/she is is someone that must be saved from him/her self. Sad but true.
    Regarding power users: if they are so, they can fiddle with group policies.

    Keep up the good work in the right direction.

  • Anonymous
    March 10, 2006
    The comment has been removed

  • Anonymous
    March 10, 2006
    The comment has been removed

  • Anonymous
    March 10, 2006
    This is a comment

  • Anonymous
    March 10, 2006
    "Am I the only user that thinks an applications settings should be with...  wait for it....  the application!?"

    In a perfect world where normal users won't do stupid things, yes. But that isn't the case...

  • Anonymous
    March 10, 2006
    The comment has been removed

  • Anonymous
    March 11, 2006
    The comment has been removed

  • Anonymous
    March 11, 2006
    If i set ActiveX to prompt .. can I have it remember which websites i am OK with activeX on permanently?

    Also, how to disable sound for specific webpages especially if it's in one of the tabs i am not looking at.

  • Anonymous
    March 11, 2006
    Fix My Settings in IE7

  • Anonymous
    March 11, 2006
    re: Fix My Settings in IE7

  • Anonymous
    March 11, 2006
    Hi Development team,

    I have discovered a problem in IE7. When clicking a hyperlink with <target="_blank"> in its HTML, the new page comes out in a new window but not in a new tab. I hope you can look into this issue and solve it.

    I not sure if I am posting in the correct place, but I find no other way to post this.



    IE7 new tester,
    Wong

  • Anonymous
    March 11, 2006
    <<When I'm in a breakpoint, I notice that if I'm in there too long, IE will "timeout" instead of waiting for the page to respond again, like IE 6.x did.  Any workaround / option for this?>>

    We've recently changed the timeouts back to the IE6 defaults and you'll see the change in an upcoming build.  Sorry for the inconvenience.

  • Anonymous
    March 11, 2006
    PingBack from http://e-pluribus-unum.info/2006/03/12/wer-hats-erfunden/

  • Anonymous
    March 11, 2006
    I'm a new IE 7 user, i'm seeing alot of bugs, hope you get this working right....HA

  • Anonymous
    March 12, 2006
    The comment has been removed

  • Anonymous
    March 13, 2006
    JRosenfeld, keeping it at prompt is ok, this won't invoke the security warnings described above.  Only if you actually set it (or any other security setting) to the option described as "(not secure)" will the security warnings start occuring.


    Don't tell webdevs and sysadmins what is secure and what isn't...

    Make it easily overrideable or adaptive.

  • Anonymous
    March 14, 2006
    The comment has been removed

  • Anonymous
    March 14, 2006
    I can appreciate the usefulness of this feature. But I question why you wouldn't provide a method for a user to turn off the prompts. And if you aren't going to trust a user to override the security settings on purpose, why include the option in the first place?

  • Anonymous
    March 14, 2006
    I'm agreeing with all the recommendations to reword the label "Fix my Settings" this implies that there is something wrong, but custom settings are not wrong. Yes there are malware programs that change settings, but would it be better to include the intended results of this feature directly into the existing buttons "Restore Defaults" in Advanced or "Default Level" in Security of Internet Options? If this isn't possible a suggestion is "Restore Default Setting For This Zone."

    I know it's been mentioned, but the idea of including profile settings beyond Group Policy, such as identities for Outlook Express, is a brilliant idea.

    "[W]e do not provide a way in the user interface of turning off this feature" I still don't understand why you did this. Why couldn't you include a simple option such as "Warn if not default security setting" Always, Only when changed, and Never. And have Always as default?

  • Anonymous
    March 15, 2006
    The comment has been removed

  • Anonymous
    March 15, 2006
    The comment has been removed

  • Anonymous
    March 16, 2006
    Yeah, it's so annoying that everytime I am at a secure page, it warns me if a picture is being loaded from a non secure location, and won't load the picture. So when I am on Google Adsense or gmail everytime I load the page I have to click the bar to reload non secure items and there is no way around this.

  • Anonymous
    March 18, 2006
    Is MS Agent going to work in IE7 by default on everyone's PC?  Given it's an ActiveX control.

  • Anonymous
    March 18, 2006
    The comment has been removed

  • Anonymous
    March 18, 2006
    PingBack from http://db.rambleschmack.net/blog/2006/03/19/snakes-on-a-plane/

  • Anonymous
    March 20, 2006
    I only want to get this the heck out of my pc..I can only hope by downloading a diffrent browser like firefox I'll be able to sort everything so I can complatly reload windows as the inet 7 will not uninstall.

    If you play online games like TW golf you'll be soory you made the error of trusting MS beta programs

  • Anonymous
    July 26, 2006
    I read about this internally yesterday and then on the blog posts today - IE7 will become part of the

  • Anonymous
    August 19, 2006
    PingBack from http://www.roks.xmgfree.com/blog/2006/08/19/ie7-to-be-distributed-via-automatic-updates/

  • Anonymous
    May 20, 2008
    PingBack from http://kendal.clearviewtest.info/fixmyvistabackground.html

  • Anonymous
    May 25, 2008
    PingBack from http://maryam.clearviewprint.info/ie7yahootoolbarfixdownload.html

  • Anonymous
    May 29, 2009
    PingBack from http://paidsurveyshub.info/story.php?title=ieblog-fix-my-settings-in-ie7

  • Anonymous
    June 08, 2009
    PingBack from http://insomniacuresite.info/story.php?id=3337

  • Anonymous
    June 09, 2009
    PingBack from http://jointpainreliefs.info/story.php?id=942

  • Anonymous
    June 09, 2009
    PingBack from http://hairgrowthproducts.info/story.php?id=217