共用方式為


Internet Explorer 6.0 and Resulting Internet Communication in Windows Server 2003 with Service Pack 1

Applies To: Windows Server 2003 with SP1

This white paper provides information about the communication that flows between components in Windows Server 2003 with SP1 and sites on the Internet, and it describes steps to take to limit, control, or prevent that communication in an organization with many users.

This section of the white paper provides information about:

  • The benefits of Microsoft Internet Explorer 6 in Windows Server 2003.

  • A description of Internet Explorer Enhanced Security Configuration, which is enabled by default when you install a product in the Windows Server 2003 family.

  • Examples of the security-related features provided in Internet Explorer 6 (as compared to Internet Explorer 5).

  • Procedures for working with security-related settings in Internet Explorer.

  • Resources for learning about topics related to security in Internet Explorer 6. This includes resources that help you learn about:

    • The Internet Explorer Enhanced Security Configuration

    • Security and privacy settings in Internet Explorer 6.

    • Mitigating the risks inherent in Web-based applications and scripts.

    • Methods for deploying specific configurations of Internet Explorer 6 across your organization using Group Policy, the Internet Explorer Administration Kit (IEAK), or both.

Note

This section of the white paper describes Internet Explorer 6, but does not describe the related components Outlook Express 6 (the e-mail component in Windows Server 2003), the New Connection Wizard, or the error reporting tool in Internet Explorer. For information about these components, see the respective sections of this white paper (the error reporting tool in Internet Explorer is described in the Windows Error Reporting and Internet Communication section of this white paper).

Note

The New Connection Wizard replaces the Network Connection Wizard and the Internet Connection Wizard in Windows 2000.

It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users connect to Web sites, run software from the Internet, download items from the Internet, and perform similar actions. This section, however, provides overview information as well as suggestions for other sources of information about how to balance users’ requirements for Internet access with your organization’s requirements for protection of networked assets.

The following are central locations in which to find information about Internet Explorer 6:

Benefits and Purposes of Internet Explorer 6

Internet Explorer 6 in Windows Server 2003 with SP1 is designed to make it easy to browse and interact with sites on an intranet or on the Internet. It differs from most of the other components described in this white paper in that its main function is to communicate with sites on the Internet or an intranet (which contrasts with components that communicate with the Internet in the process of supporting some other activity).

Internet Explorer 6 is also designed to be highly configurable, with security and privacy settings that can help protect your organization’s networked assets while at the same time providing access to useful information and tools. In addition, Internet Explorer Enhanced Security Configuration, which is enabled by default when you install a product in the Windows Server 2003 family, helps make your computer more secure by limiting its exposure to malicious Web sites.

With this enhanced level of security, however, you might find that some Web sites are not displayed correctly in Internet Explorer when you are browsing from a server. Also, you might be prompted to enter your credentials when accessing network resources, such as files in shared folders with Universal Naming Convention (UNC) names. You can easily change the enhanced security settings.

If you want to establish a specific configuration on servers (instead of using Internet Explorer Enhanced Security Configuration), Internet Explorer 6 offers more security-related options and settings than were available in Internet Explorer 5. The subsections that follow provide more information about Internet Explorer Enhanced Security Configuration and about the security-related options and settings in Internet Explorer 6.

Internet Explorer Enhanced Security Configuration

Internet Explorer Enhanced Security Configuration is enabled by default when you install Windows Server 2003. With this configuration, each zone uses a higher security setting than was used by default in Windows 2000. You can easily change the enhanced security settings.

The following table outlines some of the differences that Internet Explorer Enhanced Security Configuration makes in security settings on a server. (For a description of zones, see "Examples of Security-Related Features Provided in Internet Explorer 6," later in this section.)

Security settings with and without Internet Explorer Enhanced Security Configuration

Zone With Internet Explorer Enhanced Security Configuration Without Internet Explorer Enhanced Security Configuration (the same security levels as Windows 2000)

Internet zone

High security settings

Medium security settings

Trusted sites zone

Medium security settings

Low security settings

Local intranet zone

Medium-low security settings (intranet sites are not automatically detected)

Medium-low security settings (intranet sites are automatically detected)

Also, with Internet Explorer Enhanced Security Configuration, several sites are added automatically to specific zones:

  • The Windows Update Web site is added to the Trusted sites zone. This allows you to continue to get important updates for your operating system. For more information about Windows Update, see the Windows Update, Automatic Updates, and Internet Communication section of this white paper.

  • The Windows Error Reporting site is added to the Trusted sites zone. This allows you to report problems you encounter with your operating system and search for fixes. For more information about Windows Error Reporting, see the Windows Error Reporting and Internet Communication section of this white paper.

  • Several local computer sites (for example, https://localhost, https://localhost, hcp://system) are added to the Local intranet zone. This allows applications and code to work locally so that you can complete common administrative tasks.

    You can enable or disable the Internet Explorer Enhanced Security Configuration for administrators, all other user groups, or both. For more information, see "To Remove Internet Explorer Enhanced Security Configuration and Restore the Default Internet Explorer 6 Security Settings," later in this section.

For more information about Internet Explorer Enhanced Security Configuration, see the resources listed in "Learning About Internet Explorer Enhanced Security Configuration," later in this section.

This subsection describes enhancements in some of the security-related features in Internet Explorer 6, as compared to Internet Explorer 5. These features include:

  • A Privacy tab that provides greater flexibility in specifying whether cookies will be blocked from specific sites or types of sites. An example of a type of site that could be blocked is one that does not have a compact policy—that is, a condensed computer-readable privacy statement. (The Privacy tab was not available in Internet Explorer 5.)

  • Security settings that specify how Internet Explorer 6 handles such higher-risk items as ActiveX controls, downloads, and scripts. These settings can be customized as needed, or they can be set to these predefined levels: high, medium, medium-low, or low. You can specify different settings for a number of zones, the most basic being the four preconfigured zones:

    • Local intranet zone: Contains addresses inside the boundary defined by your proxy server or firewall.

    • Trusted sites: Includes sites you designate as "trusted."

    • Restricted sites: Includes sites you designate as "restricted."

    • Internet zone: Includes everything that is not in another zone and is not on the local computer.

    You can also specify different settings for the customized zones that you add programmatically using the URL security zones application programming interface (API). For more information, search for "URL security zones" on the MSDN Web site at:

    https://msdn.microsoft.com/

  • Support for content-restricted IFrames (inline floating frames). This type of support enables developers to implement these frames in a way that makes it more difficult for malicious authors to start e-mail-based or content-based attacks.

  • Improvements in Windows Server 2003 Service Pack 1 (SP1) that increase the overall security and reliability of Internet Explorer 6. These improvements include a configurable pop-up blocker, an interface from which you can manage add-ons (programs that extend the capabilities of the browser), and enhancements to other security features.

For more information about features available in Internet Explorer, see "Resources for Learning About Topics Related to Security in Internet Explorer 6," later in this section, as well as the Internet Explorer page on the Microsoft Web site at:

https://www.microsoft.com/windows/ie/

This subsection describes how to carry out the following:

  • View security settings for zones in Internet Explorer

  • Locate Group Policy settings that affect Internet Explorer, and view related Help

  • Determine whether Internet Explorer Enhanced Security Configuration is enabled on a specific server

  • Remove Internet Explorer Enhanced Security Configuration and restore the default Internet Explorer 6.0 security settings

To View Security Settings for Zones in Internet Explorer

  1. On the server on which you want to view settings, start Internet Explorer by your preferred method, for example, by clicking the Internet Explorer icon on the taskbar.

  2. On the Tools menu, click Internet Options.

  3. Click the Security tab.

  4. Select the zone for which you want to view security settings:

    • Internet

    • Local intranet

    • Trusted sites

    • Restricted sites

To Locate Group Policy Settings that Affect Internet Explorer

  1. See Appendix B: Resources for Learning About Group Policy for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Internet Explorer.

    View the available settings.

  3. Click User Configuration, click Administrative Templates, click Windows Components, and then click Internet Explorer.

    View the available settings.

To Determine Whether Internet Explorer Enhanced Security Configuration is Enabled on a Specific Server

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components (on the left).

  4. Scroll down to Internet Explorer Enhanced Security Configuration. If the check box is selected, it is enabled. If the check box is cleared, it is not enabled.

  5. If you want to see whether Internet Explorer Enhanced Security Configuration is enabled for administrator groups, all other user groups, or both, select Internet Explorer Enhanced Security Configuration, and then click Details.

To Remove Internet Explorer Enhanced Security Configuration and Restore the Default Internet Explorer 6 Security Settings

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components (on the left).

  4. Click Internet Explorer Enhanced Security Configuration, and then do one of the following:

    • To remove Internet Explorer Enhanced Security Configuration for both administrators and all other users, clear the Internet Explorer Enhanced Security Configuration check box, and then click Next.

    • To remove Internet Explorer Enhanced Security Configuration for administrators only or for users who are not in an administrator group, click Details, clear either the For administrator groups check box or the For all other user groups check box, and then click Next.

  5. Follow the instructions to complete the Windows Components Wizard.

Procedures for Setting the Security Level to High for Specific Web Sites

The procedures that follow provide information about how to set the security level for a particular Web site to High, which prevents actions such as the running of scripts and the downloading of files from the site. For related information, see "Examples of the Security-Related Features Provided in Internet Explorer 6," earlier in this section, and "Learning About Security and Privacy Settings in Internet Explorer 6," later in this section.

To Configure a Specific Computer with a Security Level of High for Specific Sites

  1. On the computer on which you want to configure a security level of High for specific sites, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

  2. Select Restricted sites.

  3. Under Security level for this zone, make sure the slider for the security level is set to High. If the security level for the zone is Custom and you prefer to set it to High, click Default Level and make sure the slider for the security level is set to High.

    You can view the individual settings that make up High security by clicking Custom Level. For example, you can click Custom Level and then scroll down to confirm that for High security, the settings for active scripting and for file download are both Disable. After viewing the settings, click Cancel.

  4. With Restricted sites still selected, click Sites.

  5. In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type:

    https://*.Example.com

  6. Click the Add button.

To Use Group Policy to Set the Security Level to High for Specific Sites That Users or Administrators in Your Organization Might Connect To

  1. As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.

  2. In Group Policy, click User Configuration, click Windows Settings, click Internet Explorer Maintenance, and then click Security.

  3. In the details pane, double-click Security Zones and Content Ratings.

  4. Under Security Zones and Privacy, click Import the current security zones and privacy settings, and then click Modify Settings.

  5. Select Restricted sites.

  6. Under Security level for this zone, make sure the slider for the security level is set to High. If the security level for the zone is Custom and you prefer to set it to High, click Default Level and make sure the slider for the security level is set to High.

    You can view the individual settings that make up High security by clicking Custom Level. For example, you can click Custom Level and then scroll down to confirm that for High security, the settings for file download and for active scripting are both Disable. After viewing the settings, click Cancel.

  7. With Restricted sites still selected, click Sites.

  8. In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type:

    https://*.Example.com

  9. Click the Add button.

This subsection lists resources that can help you learn about the following topics related to security in Internet Explorer 6:

  • Internet Explorer Enhanced Security Configuration

  • Security and privacy settings available in Internet Explorer 6

  • Methods for mitigating the risks inherent in Web-based programs and scripts

  • Ways to use Group Policy objects that control configuration settings for Internet Explorer 6

  • The Internet Explorer Administration Kit

In addition, for information about unattended installation, see the resources listed in Appendix A: Resources for Learning About Automated Installation and Deployment.

Note

For information about Internet Explorer on clients running Windows XP Professional with Service Pack 2, that is, for information similar to what is provided in this white paper but focused on clients instead of servers, see "Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=29133.

Learning About Internet Explorer Enhanced Security Configuration

For more information about Internet Explorer Enhanced Security Configuration, see one of the following:

  • The informational pages displayed in Internet Explorer after you install a product in the Windows Server 2003 family. To view these pages, start Internet Explorer after completing the installation.

  • Help topics in Internet Explorer. To view these topics, with Internet Explorer Enhanced Security Configuration enabled, start Internet Explorer, click Help, and then click Enhanced Security Configuration.

  • Help topics in Help and Support Center. To view these topics, click Start, click Help and Support, and search for "enhanced security configuration."

Learning About Security and Privacy Settings in Internet Explorer 6

Two important sources of detailed information about the security and privacy settings in the version of Internet Explorer 6 in Windows Server 2003 with SP1 are as follows:

  • "Changes to Functionality in Microsoft Windows Server 2003 Service Pack 1," which contains information about the pop-up blocker, the interface from which you can manage add-ons (programs that extend the capabilities of the browser), and enhancements to other security features. This document is available on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=46278

  • Microsoft Internet Explorer 6 Resource Kit

    To learn about this and other resource kits, see the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?linkid=29894

    The Microsoft Internet Explorer 6 Resource Kit consists of a number of parts that include these titles:

    • "Privacy and Security Features"

    • "Preparation for Deployment"

    • "Customization and Installation"

    • "Maintenance and Support," including information about keeping programs updated

    • Appendices, including an appendix titled "Setting System Policies and Restrictions"

Learning About Mitigating the Risks Inherent in Web-based Applications and Scripts

In a network-based and Internet-based environment, code can take a variety of forms including scripts within documents, scripts within e-mail messages, or applications or other code objects running within Web pages. This code can move across the Internet and is sometimes referred to as "mobile code." Configuration settings provide ways for you to control the way Internet Explorer 6 responds when someone tries to run mobile code. Two examples of the ways you can customize the Internet Explorer configuration deployed in your organization are as follows:

  • You can control the code (in ActiveX controls or in scripts, for instance) that administrators or operators can run. You can do this by customizing Authenticode® settings, which can, for example, prevent administrators or operators from running any unsigned code or enable them to only run code signed by specific authors.

  • If you want to permit the use of ActiveX controls, but you do not want administrators or operators to download code directly from the Internet, you can specify that when Internet Explorer 6 looks for a requested executable, it goes to your own internal Web site instead of the Internet. For more information, see the white paper titled "Managing Mobile Code with Microsoft Technologies" at the end of this list, and search for "CodeBase".

You can use the following sources to learn more about mitigating the risks inherent in Web-based applications and scripts:

  • To understand more about how a particular Microsoft programming or scripting language works, see the MSDN Web site at:

    https://msdn.microsoft.com/

  • To learn about approaches to mitigating the risks presented by mobile code, see "Managing Mobile Code with Microsoft Technologies," a white paper on the TechNet Web site at:

    https://go.microsoft.com/fwlink/?linkid=29170

Learning About Group Policy Objects That Control Configuration Settings for Internet Explorer 6

You can control configuration settings for Internet Explorer 6 by using Group Policy objects (GPOs) on servers running Windows Server 2003. (You can also control the configuration of Internet Explorer by using the Internet Explorer Administration Kit. For more information, see "Learning about the Internet Explorer Administration Kit," later in this section.) For sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy.

To learn about specific Group Policy settings that can be applied to computers running Windows Server 2003 with SP1, see the following two sources of information:

Learning About the Internet Explorer Administration Kit

With the deployment technologies available in the Internet Explorer Administration Kit (IEAK), you can efficiently deploy Internet Explorer and control the configuration of Internet Explorer across your organization. (You can also control the configuration of Internet Explorer by using Group Policy. For more information, see "Learning about Group Policy objects that control configuration settings for Internet Explorer 6," earlier in this section.)

A few of the features and resources in the IEAK include:

  • Internet Explorer Customization Wizard. Step-by-step screens guide you through the process of creating customized browser packages that can be installed on client desktops.

  • IEAK Profile Manager. After you deploy Internet Explorer, you can use the IEAK Profile Manager to change browser settings and restrictions automatically.

  • IEAK Toolkit. The IEAK Toolkit contains a variety of helpful tools, programs, and sample files.

  • IEAK Help. IEAK Help includes many conceptual and procedural topics that you can view by using the Index, Contents, and Search tabs. You can also print topics from IEAK Help.

For more information about the IEAK, see the Windows Web site at:

https://go.microsoft.com/fwlink/?linkid=29479