MSDN articles on IE for XP SP2


The information published in this post is now out-of-date and one or more links are invalid.

—IEBlog Editor, 20 August 2012

If you’re a developer hosting the WebBrowser control, you’ll want to read Compatibility in Internet Explorer 6 for Windows XP Service Pack 2. This article has details about changes such as:

  • Local Machine Zone Lockdown
  • Object Caching
  • MIME Handling
  • MIME Sniffing
  • Network Protocol Lockdown
  • Window Restrictions
  • File Download Restrictions
  • ActiveX Restrictions
  • Pop-up Blocker
  • Zone Elevation Blocks
  • Binary Behaviors

If you’re a website developer, then check out Fine-Tune Your Web Site for Windows XP Service Pack 2. It covers popup blocking, ActiveX controls, and new restrictions on browser windows.

You may also want to read about “Enhanced Browsing Security”, part 5 of the Service Pack 2 Resource for IT Professionals articles. This article covers some of the same material as previous articles, but oriented to the IT Pro audience, including Group Policy details.

– Bruce

Comments (39)

  1. Anonymous says:

    Website developers don’t use popups, ActiveX controls and open new browser windows. Only Frontpage weekend web warriors do such things.

  2. Anonymous says:

    CNN’s website uses popups (which IE blocks, BTW) to ask which edition you’d like.

    Volkswagen’s site opens a new window (see http://www.vw.com/passat, click the "take a good look" link), which then uses Flash’s ActiveX control.

    These are valid uses for new windows and ActiveX controls, wouldn’t you say?

  3. Anonymous says:

    I dearly hope that you’ll answer this question. I’ve been pondering this for a while.

    I like IE over the Mozilla FireFox hype, but there’s a feature I _really_ dislike.

    "MIME Sniffing" is just something I cannot understand, and the insane checks you’re doing to determine the type of a file.

    99.999% of the servers on the internet do send the MIME header to tell what kind of file it is, it’s _REQUIRED_ by the HTTP standard.

    And yet you’re checking the type from the URL to determine on how you should handle the file, why?!

    For example, I have a script that generates HTML and sends the "text/plain" type so I can see the actual HTML (for debugging purposes).

    But no, IE is the only browser (I tested Opera and Mozilla) that renders it as HTML. It’s breaking the orders sent by the server!!

    And (maybe a bit offtopic), then I have a script in my server that sends the "text/plain" content-type and outputs some text I’d like to see in my browser. But it’s not displaying it in the browser, it’s opening an external program. Why?

    This ‘sniffing’ is just useless, waste of CPU time and pissing on developers shoes. And I don’t see any ‘security benefits’ from it. Why are you doing it (MIME sniffing and the URL extension sniffing)?

    P.S. I even tried to disable the ‘feature’ from HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_MIME_SNIFFING but it didn’t work (I restarted my Avant Browser (it hosts IE control)).

  4. Anonymous says:

    I agree about the mime sniffing. A friend of mine hosted their site with an ISP who had misconfigured their server. It was sending web pages as mime type "text/plain", rather than "text/html". IE would sniff the file, figure out it was actually html and render it. Any other browser would respect the mime type and render it as plain text.

    Because IE (used by most people) rendered the pages correctly, the ISP refused to accept that their server was configured incorrectly! The end result being that my friend’s site was inaccessible to anyone not using IE.

    Clearly the ISP was at fault here but, if it were not for the mime sniffing ‘feature’, I suspect the problem would never have arisen in the first place. At the very least, it would have been fixed as soon as it was spotted.

    Also, there are plenty of legitimate reasons to use popups, activex, et al. Speaking as someone who spends their time developing web-based applications, I find such features useful.

  5. Anonymous says:

    Real webdevs don’t develop sites for one specific browser.

  6. Anonymous says:

    The so called "MIME sniffing" feature should be removed completely, that would force administrators to set up their servers properly.

    IE allows a lot of sloppiness that it really shouldn’t. Use backslashes in a URL and IE ‘helpfully’ corrects it – http:\getfirefox.com would work in IE but not in other browsers.

    Microsoft should use their market share (before better browsers like Firefox erode it) to encourage good practice. Sloppy coding just spells trouble further down the line.

    Instead of encouraging good practice IE devs go out of their way to ensure they don’t break someones badly coded site. The recent SV1 version number madness is one example of this, while any other company would just update their version number Microsoft are too scared it’d break scripts (so what happened when we went from IE 4.0 to 5.0 to 5.5 and then to 6.0???).

  7. Anonymous says:

    You’re nuts if you use ActiveX on your website. It’s a nasty trick for people to keep using IE instead of a browser which does understand web standards decently.

  8. Anonymous says:

    The blog is booooooriiing.

  9. Anonymous says:

    I was just thinking of an example where the IE team have broke backwards compatibility when there was no good reason to – plugins!

    There’s two plugin API’s available, one is the Netscape API which is used by all major browsers except IE and then the ActiveX API used by IE and one of the major causes of security problems on the platform.

    At one time IE supported both types of plugins, the major vendors still done a native IE ActiveX plugin as well as the Netscape style plugin, but small companies who didn’t have the resources to develop two types of plugins could write to the Netscape API so that they knew it’d run on all browsers.

    So what did Microsoft do? They pulled the plug on the NS plugin support in a service pack to IE 5.5. The reason? To encourage plugin vendors to release IE only plugins.

    So less of this nonsence about not incrementing the version number because of breaking peoples scripts, the plugin issue shows you don’t care about breaking compatibility if it has the potential of squeezing a few more percent in marketshare.

    Fortunately most plugin vendors still support the Netscape API as well as the MS one, so that plan backfired and if you want Netscape style plugins to work in IE then you can see here: http://www.mozilla.org/projects/plugins/plugin-host-control.html

  10. Anonymous says:

    "Real webdevs don’t develop sites for one specific browser."

    Jackpot.

  11. Anonymous says:

    @T: No, there are absolutely NO valid uses for popups or ActiveX. Also, while Flash _may_ have some uses (such as primitive tutorials of some sort in specific circumstances), I generally consider it as the spawn of Satan and have all swiffs blocked by my firewall. A site that uses Flash to deliver content instead of HTML will never get my attention again.

  12. Anonymous says:

    I have been defending IE for the past number of years, but am now an active member of spreadfirefox.com. I love the firefox browser.

    I also love a lot of Microsoft technologies, they are my bread and butter, but you have really let IE slip into a nightmare.

  13. Anonymous says:

    I’m sure the IE developers know how much IE sucks, they have to code it for crying out loud.

    We should give them a break, they’re only doing what they’re told. 😉

  14. Anonymous says:

    People, please cut the offtopic. This is not about how good of an browser Firefox is or about the way some people code their pages.

    This is about the new features in the SV1 release of IE.

    Gavin: I’m kind of in the same situation as you. I’ve been defending IE too because in my opinion it’s a fine browser and the propaganda the open source geeks keep telling other people about the added security is false. Mozilla would have about the same number of vulnerabilities as IE has had now, if it were to come as popular as IE.

    But now I’m thinking of FireFox (not for the "security"), because it enables me to achieve so much stuff I can’t do with IE (to develop my scripts for example! I cannot do it like I should be able to with IE!).

    Fix these issues (in my opinion they are easy to fix and fixing them does not cause incompatibilities worth mentioning) and IE will be the best damn browser in the world!

  15. Anonymous says:

    re unknOwn: "…there are absolutely NO valid uses for popups"

    Okay, suppose you are filling in a long online form for an insurance application and there is a question that you do not understand. Helpfully there is a little button next to the question that, when clicked, pops up a little window with explanatory information. Is that not a legitimate use for popup windows?

  16. Anonymous says:

    IE in Windows SP2 seems to upload files with an extension of ".htm" or ".html" as "text/plain" not "text/html".

    http://lists.w3.org/Archives/Public/www-validator/2004Sep/0039.html

    Any comments on this change? It doesn’t seem to be mentioned on MSDN, unless it’s connected to "Local Machine Zone Lockdown".

  17. Anonymous says:

    @Richard: Absolutely not. The person who designed such an ununderstandable and unusable page should be fired from his job immediately.

    If the explanatory information shouldn’t be visible on the very page (for reasons I can’t even grasp), there are CSS & JS tricks to accomplish showing the help text, even in browsers without JS, text-based browsers and screen readers, while still being invisible until something is clicked on today’s modern, and wrongly considered "baseline" browsers.

    Let me repeat once again: THERE ARE NO VALID USES FOR POPUPS. If you think there are, you’d be best spending the next couple of days rethinking your website.

  18. Anonymous says:

    "Mozilla would have about the same number of vulnerabilities as IE has had now, if it were to come as popular as IE."

    That’s not necessarily true. The same proportion would be discovered (and probably more), but simply using it does not introduce bugs into the code. There is an upper limit to the number of vulnerabilities in any given piece of code, and that limit is independent of popularity.

    It’s not entirely fair to compare vulnerability counts, but it’s not fair to suggest that they are equally vulnerable either.

  19. Anonymous says:

    @[unknOwn]

    So, you think it’d better to integrate everything into one page (the help texts etc) even when the most people wouldn’t need them? That’d increase the file sizes dramatically.

    What about picture galleries? It’s stupid to open a new window for a small picture. And don’t say that ‘galleries are useless in my opinion, so no-one should not use them!’.

    Don’t hate me too much for saying this, but you sound a tad arrogant to me.

    @lowercase josh

    I agree with your post.

  20. Anonymous says:

    I agree with pompo500, think about the Contact Manager in Gmail – it’s pretty hard to argue that would work better as a non pop-up.

    If web sites *are* supposed to become more like web apps, shouldn’t they function as such? Or when you go Help -> About in IE you’d prefer for the ‘pop up’ window to fill the whole screen perhaps?

  21. Anonymous says:

    If the pop-up is user initiated then it *could* be argued that it’s OK to use one, but I’d still tend to side with unknOwn that pop-ups are useless. They’re an accessibility nightmare, to be blunt.

    I *never* design pages with pop-ups, or even links opening in a new window. I’ve disabled links that open in new windows in Firefox as well. I’m a strong believer that the website visitor should be in control. Instead of telling *them* what windows they should have open, let them decide for themselves. That’s what accessibility is meant to be about.

    If you have a high volume of information to convey, it would be inappropriate to communicate it with a pop-up, and if you have a low volume of information, then you can just as easily use an absolute <div>, with much less inconvenience to the user.

  22. Anonymous says:

    @pompo500 : That’d increase the file sizes dramatically.

    What about old design with tables and fonts tags about file size? I prefer to serve more content than necessary in most case than serving html tags soup. It’s not really the subject but popups are a very bad practice. Have you ever tried Home Page Reader with your screen switched off? If not you cannot understand, but html is not only a matter of visual browser and software allowing bad http/html code like IE are really a pain for accessibility progression.

    About security issues, may I remember you what is the most used web server in the world? It is true also for e-mail server and DNS server, and so on… By the way who is the web server software less secure (or less patched) than the popular one (hint: remember JECT)?

    There’s something wrong…

  23. Anonymous says:

    pompo500 – See http://blogs.msdn.com/jeffdav/archive/2004/08/09/211492.aspx#211525 for a discussion on MIME sniffing. There’s enough questions about this subject we’re planning on either an MSDN article or a blog post to clarify.

    IE for XPSP2 shouldn’t promote text/plain to HTML, so if you have a repro on that please send it to use via the Comment form.

    – Bruce

  24. Anonymous says:

    @pompo500: Yes, everything should be on one page. If there’s 50 KB of help text total for the insurance example above, it should not only be present on that page, but also on another one, printer-friendly. Of course, you can always resort to KISS accompanied by "Read more…", but that’s stupid.

    Do not, I repeat, do NOT assume "most people wouldn’t need [something]" – at least one out of five people is vision or color-impaired, has JS or popups disabled, or uses something that’s not today’s modern browser. It’s your job to think in advance and to make your web perfectly usable for everyone, including the kitchen sink.

    Picture galleries MUST open the clicked picture in the SAME window. No bloody popups, no explicit new browser window opening. Turnip explained it beautifully – you do NOT want to impose any restrictions on the user.

    @Dominic: I haven’t used Gmail, but I’m pretty damn sure popups aren’t needed. Google (as the search engine) delivers catastrophic, invalid HTML, so I’m inclined to say they don’t know sh*t about accessibility, usability and web standards. [*]

    BTW, check out Opera’s "About" window.

    [*] They use the blockquote tag to indent multiple search results from the same site, damn it!!! And what’s with all those font tags?! If Google redid their search results to be standards-compliant, not only would they be usable for a larger audience, but – I’m taking a wild guess here – would save a terabyte or two bandwidth *daily*.

  25. Anonymous says:

    unknOwn, dare I say it, but you have a point. I’d never thought to put Google through the W3 validator before, but 40 errors on their front page is quite shocking, considering Google’s image.

  26. Anonymous says:

    http://www.w3.org/TR/css3-hyperlinks/#the-target-new

    unknOwn, apparently the W3C disagrees with you to an extent, as do I. There are legitimate uses for popups even if they are not the best practice.

    Web forums are an example. If one clicks on a link to get more information on the person he is posting to, the text of the message can be lost. Placing it in the same page won’t work if there is a lot of information; a screen reader would have to ignore it or read through it all. So what’s left? A requested popup.

    On a different note, can you drop the holier-than-thou attitude? In my not so humble opinion, it’s not going to help you change many people’s minds. I doubt a gallery is going to switch its layout and code just because you say it "MUST."

  27. Anonymous says:

    snowknight: You spoke my mind.

    Bruce Morgan: Here’s the link. http://pompo500.xs.fi/text.php

    And I noticed another bug too that Matthew Wilson posted about in this page. That is another thing I’d like to hear about.

  28. Anonymous says:

    @snowknight: First, this is a working draft. You know what that means, don’t you? Second, that’s not a popup, that’s the target window/tab for user-initiated clicks (and have no doubt that browsers will allow overriding that value should it ever officially appear in CSS3).

    As for your web forum example, normal browsers (not IE) don’t lose any form text/selections on back/forward actions. Also, there’s no point in placing the user information on the same page, as it’s not really relevant to the content. Can you tell me what happens if I want to view the information on 20 users? I bet every click will open the information in the _same_ popup, leaving me unable to load that info in the background for later viewing.

    And no, I can’t drop my attitude because it’s correct. BTW, any gallery that uses popups is as doomed as the people who use IE.

  29. Anonymous says:

    unknOwn, I’m well aware of its current status. That’s beside the point. What the W3C is working on is giving sites, through CSS, the ability to open new windows on click. Requested popups are new windows that spawn on click. They perform the same logical function. Why would the W3C try to transfer the concept of requested popups to CSS if there wasn’t a valid reason for said popups as you imply above?

    "As for your web forum example, normal browsers (not IE) don’t lose any form text/selections on back/forward actions."

    So, forget all about IE users? It’s not a good idea considering they’re the majority of potential users. That isn’t good design either.

    "Also, there’s no point in placing the user information on the same page, as it’s not really relevant to the content."

    Agreed, I’m just covering the only alternative to popups that you listed.

    "Can you tell me what happens if I want to view the information on 20 users? I bet every click will open the information in the _same_ popup, leaving me unable to load that info in the background for later viewing."

    You lose that bet. Every click spawns a new window so 20 clicks = 20 requested popups.

    "And no, I can’t drop my attitude because it’s correct."

    [rolls eyes] So basically, you’re god and everything you say is right? I know that’s not what you meant, but that’s what it sounds like to me. That’s why I called it holier-than-thou.

  30. Anonymous says:

    @snowknight: There’s absolutely NO certainty that these things will even be implemented. Also, that draft hasn’t been touched in more than half a year.

    And again you’re mixing popups with new windows/tabs.

    No, not forget IE users – put a link that’s clearly specified to open a new window (NOT a popup!).

    OK, maybe 20 different popups, depending on how the script was coded. But you know what? In 99% of the cases, such galleries are not available for non-JS browsers. Also, popups appear *in foreground*, which means the user has to click the link, alt-tab or taskbar-click, click another link… Do you know what a lifesaver is user-initiated background-opening?

    Holier-than-thou brought us IE… 🙁

  31. Anonymous says:

    Of course there are valid uses for popups. It’s silly to say there aren’t.

    Popups today are in very much the same situation that <blink> was circa 1996. It was so cool that everybody used it… then everyone became sick to death of it… so the major browsers turned it off.

    There are still ways to make text blink without <blink>, and there are still ways to make windows pop up.

    But a few abusers spoiled a good thing for everybody.

  32. Anonymous says:

    It is too funny, man.

    GMail just changed their "obvious good use for a pop-up" contact list to a non-popup.

    There was a time when no one even knew about windows, yet in that benighted time, they did UI.

  33. Anonymous says:

    I did an automatic download of SP2 over the weekend and after the install it immediately caused problems.

    First, it did not recognize that Norton Antivirus was active/enabled. Second the firewall started going up and down. Third, my system started to act as if a background app was frozen. Fourth, I could not activate the firewall. Fifth, I had no access to the net via cable. And there were other problems as well.

    I called MS and they were NO HELP.

    After considerable effort I was able to uninstall SP2 and my system returned to good working order.

    Makes me wonder if MS has heard of "system testing"? I know it’s probably a radical idea for them, but I do know other companies do test before launch.

  34. Anonymous says:

    Is there any reason why MSDN is still actively blocking Opera?

    The page displays perfectly if Opera is stripped from the user agent string.

    Didn’t you guys lose a case in court over this?