Zones and Default Settings


It’s always good practice when developing web pages to test them in browsers with default settings as it is most likely that your users will have default settings when using their browsers. One thing that we’ve seen catch a couple of people out with IE is that the default settings can be a little different depending on the security zone the page is running in.

Many of you will be familiar with the different security zones in Internet Explorer with the internet and intranet zones being two that you may see on a regular basis in the status bar of IE. By default the security settings for content running in the internet zone are a little more restrictive than those for content running in the intranet zone. One example is that in IE7 under default security settings a web page running in the internet zone may not write text to the IE status bar using the window.status method call, whereas the call is allowed in the intranet zone. This restriction was introduced in IE7 as part of the security work to reduce spoofing and ensure that content on the internet cannot directly influence the area of the browser outside the HTML rendering area.

During development of web pages content is often supplied by a local server and as a result runs in the intranet zone. Later when the pages are deployed and accessed from the internet the same content runs in the internet zone. As a result a call to set window.status that worked during development no longer functions.

To avoid these differences and have content run in the internet zone despite it originating on the intranet you can add the Mark Of The Web (MOTW) to pages. The MOTW is a comment that should be placed at the start of the HTML page to show that the content is from the internet in the form <!– saved from url=(0014)about:internet –>. Including the MOTW in pages and checking that you have default security settings during development can help ensure that you are experiencing the same settings as users of IE on the internet will have when your pages are deployed.

On a separate topic I’d like to note that this will be my last post here. After eleven great years at Microsoft it is time for me to move on to new adventures. I know that the IE team will continue to work on future versions of IE, supplying a great and secure browsing experience for Windows. I am looking forward to seeing the next releases of the product.

Thanks,

Dave Massy
Senior Program Manager

Comments (38)

  1. Dean Harding says:

    That doesn’t seem to work for me… where EXACTLY is it supposed to go? No matter where I put it IE still tells me "Local Intranet" as my zone…

  2. Dean Harding says:

    Hmm, I read the linked document (probably should have tried that before the last comment) but it still doesn’t seem to work… keeps telling me "Local intranet"

    Perhaps I’m doing something wrong.

  3. Ron says:

    Bye Dave, it was good to have you around here and spreading info about IE.

  4. game kid says:

    A page on your computer should show "My Computer" (or "Computer"?) as the zone without the comment, and "Internet" with it.

    You might have to re-open your page in a new window to see the difference.

  5. PatriotB says:

    I’m sad to see you go Dave.  Thanks for all you have done to help jumpstart IE back to life, and for being a public face for the team.  Best of luck in your new ventures.

  6. Alex says:

    Wow, Dave, you’re going… never expected that. Good luck with what you’re going to do now 🙂

  7. @Dave Massy

    I have seen your videos on Channel9 and I am sad now that you decided to leave the IE team. You were a very personable PM at Microsoft.

    I wish you good luck and all the best for your new adventures.

  8. cooperpx says:

    @ Dave Massy

    Hi Dave, I’m sorry to hear you’re leaving Microsoft, and more importantly the IE Team. I sincerely wish you success in your next endeavour.

  9. steve_web says:

    Sorry to hear you are leaving Dave… just when Printing became possible in IE! 😉

    As for the whole security settings in IE, I’d like to make a recommendation to the development team that in future, a better interface for this be developed.

    There is currently no easy way for me to see a quick list of all of the "enabled" features, or "disabled", etc.

    Worse yet, is the fact that everything is named in a very un-user friendly manor.

    For example, the classic enable/disable JavaScript.

    This should be the easiest thing to (a) find, and (b) toggle, for all users.

    Ok, so in IE7, where do we go to set this up.

    Hmmm… can’t go to the MENU, cause it was decided that that would be too easy, and hidden from all users by default.*

    Ok found it, Tools > Internet Options.

    Security Tab?… ok…

    Looking for a "Change", or "View" settings…

    Hmm, ok, lets try "Custom Level…"

    ok, only 6 million things in this list… lets stretch the dialog so I can see things better…

    oh, that sucks, can’t do that… (why not?!)

    alright, lets start scrolling… we are looking for "JavaScript"…

    Hmm, these sections should all be in a collapsed tree by default… 1 per visible view is just silly…

    ok, there is no JavaScript in this list?… huh?

    ask someone… oh, its called "Active Scripting"… that makes sense… not!

    ok, which of these things do I change?… aren’t the ones below the first one, all "Children" of scripting?… thus If I "disable"  JavaScript, shouldn’t "access" to the clipboard and status bar be automatically disabled also?

    And what’s with the "Misc" section? its like 4 screens long!

    What’s with the ordering of stuff in this box?

    "Software Channel Permissions:

    High

    Low

    Medium

    Alphabetic sorting is NOT appropriate for this kind of list.. it should either be:

    Low

    Medium

    High

    or

    High

    Medium

    Low

    Then, multiply all this mess above, by the fact that there are FOUR of these pages, one for each zone!

    It’s no wonder so many people don’t have their browsers set up securely, when it is so hard to do so in IE.

    I’d also like to add my 10,000 votes for the Feedback site to be restored.  I found a pile of z-index /CSS bugs that I want to enter and track.

    *Yes, just press ALT, and it shows up… but for the technically challenged (which is mostly IE users) this is not visible. (Bad design decision #1)

  10. I just made a post on the IE Team blog regarding Zones and Mark of The Web . It’s always a good idea

  11. dus says:

    @Dave Massy

    Please don’t go away, I love you!

  12. Aedrin says:

    "ask someone… oh, its called "Active Scripting"… that makes sense… not!"

    Since you’re speaking about non technical users, Active Scripting makes a lot more sense to a user than JavaScript. Throwing names at users who do not script/program is a bad thing to do.

  13. Best wishes for your future adventures, Dave.

  14. Sven Groot says:

    "ask someone… oh, its called "Active Scripting"… that makes sense… not!"

    Maybe they should drop the "active" bit, but it definitely shouldn’t read Javascript. After all, IE comes with two scripting engines: JScript and VBScript, and this setting applies to them both.

    Also note that neither of them is actually called Javascript. JScript is the Microsoft implementation of the ECMAScript standard which was based on the original Javascript.

    I do agree with your main point though, that these settings are burried to deep.

  15. nbradbury says:

    Dave, thanks for your work, and thanks for blogging here!

  16. Skutt says:

    My scanner dontw ork afte instal IE7

  17. Aedrin says:

    "Also note that neither of them is actually called Javascript. JScript is the Microsoft implementation of the ECMAScript standard which was based on the original Javascript."

    This is nitpicking. They’re both the same concept.

  18. Teamzille.de says:

    Wenn man Webseiten entwickelt, testet man diese wohl meistens erstmal lokal. Nun verwendet der Internet Explorer aber f&uuml;r das Internet und lokale Seiten unterschiedliche Sicherheitseinstellungen (die Sicherheitszonen, zu finden in den Internetoption

  19. steve_web says:

    The problem with "Active Scripting" is that it doesn’t actually map to anything.

    Most users, will associate "Active" with "Active-X", and thus start disabling…

    On the other hand, most that have used the web for more than 15min, know about something called JavaScript… they may not know what exactly it is, but they certainly do know about it by name.

    I’d be fine with "Active Script (JScript/VBScript)" or something that at least identifies what it is that "Active" refers to.

    Google for "disable javascript" (~385,000 hits)

    http://www.google.com/search?hl=en&q=%22disable+javascript%22&btnG=Search&meta=

    Google for "disable active script" (~590 hits)

    http://www.google.com/search?hl=en&q=%22disable+active+script%22&btnG=Search&meta=

    I’ll play the "conspiracy theory" card here 😉 and guess that originally it wasn’t called JavaScript because of the association with Netscape, but I think these days, its not worth the confusion.

    e.g. AJAX stands for…?

    http://www.google.com/search?hl=en&q=%22disable+javascript%22&btnG=Search&meta=

    but i digress, the main issue is that the dialog is just shy of very-un-user-friendly and I thought I’d point it out here (since there is no IE Feedback!)

  20. Aedrin says:

    "On the other hand, most that have used the web for more than 15min, know about something called JavaScript…"

    That’s a pretty bad assumption.

  21. Dave has announced that he is leaving Microsoft:

    http://blogs.dotnethell.it/vincent/Dave-Massy-IE-Team-lascia-MS__9781.aspx

    Good luck, Dave and thank you for your great work.

  22. PatriotB says:

    It’s called Active Scripting because it used to be called OLE Scripting, and like many things with the OLE name, it got changed to Active.  OLE Scripting -> Active Scripting.  OLE Accessibility -> Active Accessibility.  OLE Controls -> ActiveX Controls — this is actually the exception since ActiveX is used for both controls and for the overarching COM technology.

  23. mocax says:

    Where do I go for help?

    Whenever I enable protected mode, IE7 slows to a crawl. And crashes if I try to launch IE7 via a shortcut or the address box in the taskbar.

    Everything works fine if I disable protected mode.

    I see some un-deleteable add-ons, like Microsoft’s own "add mobile favorite" and "research"

    Disabling those add-ons didn’t work.

    Now protected-mode is a useless feature on my comp.

    How do I re-install IE7 from scratch?

    Without re-formating the harddisk.

  24. This is great, I was looking for MOTW as I had misplaced this tiny script. Placed it just above the closing header element and it works as usual.

    I don’t get why some people say, "Have a safe trip" as tripping is not safe! Anyway, best of luck to you in your future endeavors!

  25. Brent says:

    Tell the update team to STOP messing with my default settings!

    I just updated all those security patches and my email program is no longer the right one! (Thunderbird)

    It seems that as soon as the update is applied, Microsoft Outlook Express or Microsoft Outlook is now the default email program!

    Excuse me, but I did not ask for this, please do not mess with user settings when applying updates, or you will find users (like me) avoiding applying an update, for fear of the update messing with my settings. ie. what other settings have you changed?

    unhappy camper

  26. steve_web says:

    @Aedrin

    Ok, maybe 15min is a little sarcastic, but the point is that if I mentioned JavaScript in conversation with strangers, they’d likely know what I’m talking about… if I talk about Active Scripting, most wouldn’t have a clue.

    I mean, lets face it, it took how many years for MS to get rid of Clippy?!… If we don’t tell microsoft whats wrong with their software, and we don’t keep pestering them about it, it will never change.

    They can call it Goat Cheese for all I care, as long as getting to the setting, is easy, and intuitive, and user friendly… and not a chore.

  27. Ajay says:

    good work dave !! wish u success in your future mission.

  28. gord says:

    Found a strange bug.

    When using Remote desktop to view an XP box, running IE7, some favicons (*.gif) format, do not render the transparency part properly, instead show a white background on the browser Tabs.

    I would add a test case to Feedback, but it doesn’t exist anymore.

    Gord

  29. Aedrin says:

    "They can call it Goat Cheese for all I care,"

    I thought the whole argument was about calling it the right thing.

  30. steve_web says:

    @Aedrin

    "I thought the whole argument was about calling it the right thing."

    True, but you seemed dead set against that, so rather than argue till the sun turns blue about it, I’d rather focus on the fact that the dialog / contents is extremely user-un-friendly.  If the layout was fixed, then finding "JavaScript" or all things to do with script, would be a piece-o-cake.

  31. Disappointed guy says:

    WHERE ARE THOSE MUI’S AND LIP’S?????WHY you are so dishonest about this??!

  32. Aedrin says:

    "I’d rather focus on the fact that the dialog / contents is extremely user-un-friendly."

    You mean developer un-friendly?

  33. EricLaw [MSFT] says:

    @Brent: The Outlook team would like to help resolve the problem you’ve encountered.  Please send me a message at ericlaw at microsoft dotcom so I can collect a little more information about the problem.  Thanks!

  34. I am sorry that I missed this intially, but in a recent post on the IE team blog Dave Massy a Senior

  35. shisheli says:

    I added an add-on on to ie7.  and along with this addon comes a program bonour on my toolbar.  My system slowed down.  I had to unistall ie7 and go back to 6.  Well this program bonour I couldn’t get rid of.  My system crashed and I lost everything.  Are these addons tested?

  36. leolucas says:

    I am hoping that someone familiar with the inner workings of IE7 can help with this problem. I have used this type of VBSCRIPT code on an ASP page for several years to launch a program on a server from an ASP page:

    Dim sh

    set sh = Server.CreateObject("WScript.Shell")

    sh.Run("any-program.exe", 0 , TRUE)

    The code breaks when I installed Internet Explorer 7 (IE7) on a Windows 2003 Server.

    The error is "permission denied". The error goes away when I uninstall IE7.

    The code works when I uninstall IE7 from the server. There is some configuration setting or software change that IE7 is adding to the server that causes this bug.

    Does anybody know a workaround? Thanks!

  37. ex2blog says:

    IE zónák és biztonság és ellenőrizzük a lapokat default beállításokkal IEBlog: http://blogs.msdn.com