.NET control no longer loads in IE8 in Internet Zone


Hello There!

 

Veena here to discuss an important change made in Internet Explorer 8 that could impact you. With Internet Explorer 8 it is no longer possible to load .NET controls in Internet zone under the default(medium-high) security setting.

In Internet Explorer 8, we have added a new UI-less URLAction (0x2005) that we check before loading the .NET MIME Filter, mscorie.dll,  for content from the Internet zone. And by default it is set to DISABLE in Medium-High/High templates which are the default security templates used by Internet Zone and Restricted Sites Zone respectively. This URLAction is enabled by default in the other security zones.

This change prevents the loading of mscorie.dll for a .NET control on a page, if that control’s URL has a "DISABLED" policy for the new 0x2005 UrlAction. Please note that this URLAction cannot be configured via the Internet options control panel. This change is further discussed here.

Mscorie.dll, contains a Multipurpose Internet Mail Extensions (MIME) Type Filter. This filter hooks into Internet Explorer and monitors all incoming data streams with the MIME type application/octet-stream. A primary role of this filter is to examine the incoming stream to see whether or not the stream is managed code. If the filter determines that the incoming data is a .NET Framework module, the filter loads a managed assembly named IEHost which then handles loading the .NET control. The following KB article discusses this in more detail:

http://support.microsoft.com/kb/311301

If you want to allow loading .NET controls for any web site that is impacted by this change, you can add it to the trusted sites zone. But please note that the site that needs to be added is that of the control and not that of the page. Alternatively, you can set the above URLAction to enable in the registry but please note that this can compromise the security of your system.

 

Regards,

The IE Support Team

Comments (3)

  1. Xeos says:

    Couldn’t you use the .NET Framework Configuration Console to deny any unauthorized code?

    You guys create a technology let people use it then deny it from working. Why didn’t you do this with ActiveX controls, at leaset signed ActiveX can run in IE without any problems for the web users.

    I don’t think implemnting this in that way is a good thin, actually no body complained about the security of loading .NET controls but some smart engineers in Micosoft found a way to attack some machine and whoooo lets prevent .NET Controls from loading on Internet!

  2. Bjørn Erik Haug says:

    Does this affect XBAP assemblies as well?

  3. Carlos says:

    If my user control is signed (Strong Name) or if I attach it a MANIFEST, will I have the same problem?

    Is there any other option instead of registering my server in the trusted sites list?

    Thanks for your answers.