Understanding Cookie Controls
Internet Explorer offers an extremely rich set of options for controlling cookies. The default settings are fairly well-balanced, but some users may want to introduce more restrictive or specialized controls.
To configure cookie settings in IE, click Tools > Internet Options. Click the Privacy tab. The tab offers a simple slider with a range of options for controlling cookie set by websites. With the exception of the very top setting "Block All Cookies" and the bottom setting "Accept All Cookies", these settings rely upon the P3P Policies sent by websites when cookies are set. A P3P policy specifies a legally-binding statement[1] about the policies and purposes the website will abide by for its cookies.
The default cookie setting is "Medium", a reasonable balance that allows first-party cookies (unless they're marked to be particularly impactful to your privacy) and restricts third-party cookies (unless they're marked to be fairly innocuous to your privacy). A first-party cookie is delivered by the host of the top-level website you're visiting; a third-party cookie is delivered from a different server whose resources are being (directly or indirectly) used by that page. So, most advertising and analytics cookies are third-party cookies. Non-browser applications should set cookies using the InternetSetCookieEx function to ensure that the user's P3P preferences are respected.
One notable factor is that the slider applies only to cookies for sites in the Internet Zone. Internally, URLACTION_COOKIES_ENABLED (0x01a10) setting has no UI but controls the behavior of Cookies on a per-zone basis. When set to 0, all cookies are Allowed. When set to 1, the P3P Policy is Evaluated to determine if the cookie should be accepted according to the user's preference. When set to 3, all cookies are blocked. By default, cookies set for the Intranet Zone are always permitted, cookies for the Internet Zone are evaluated against the user's P3P preferences, and cookies by sites in the Restricted Zone are always blocked.
Interestingly, when IE7 reconfigured the Trusted Zone to use the Medium Security Settings template, the default for the URLAction in this zone was changed from Allow (0) to Evaluate P3P Policy (1). Unfortunately, there's no UI for configuring the P3P Policy for the Trusted Zone (oops!), so you may find that cookies are blocked for Trusted Sites by IE7 and later unless you change the Trusted Zone to use the Medium-Low template[2] which will Allow all cookies for the Trusted Site.
Instead of adjusting the slider, you can alternatively specify that you want to Allow, Prompt for, or Block all cookies based on their first-party or third-party nature by clicking the Advanced button and ticking the Override automatic cookie handling box.
The check box at the bottom of the dialog allows you to permit Session Cookies, which expire at the end of the browser session, regardless of whether they are first-party or third-party. The Prompt setting can be enlightening (since it will notify you about every cookie) but quickly gets extremely annoying and will incessantly interrupt your browsing experience.
Additionally, you may manually specify the Allow/Deny decision for a specific site by clicking the Sites button. Enter the hostname of the site (e.g. example.com) and then choose Block or Allow.
The Import button[3] on the Privacy tab allows you to import a Privacy Import File. Privacy Import Files expose a rich set of XML tags that allow fine-grained specification of the cookie policies desired; you can author your own or import one provided by someone else.
One very cool thing about the Privacy Import Files is that you can specify preferences which aren't available via the UI. For instance:
- P3P-Medium, except any non-blocked 3rd-party Persistent cookies are downgraded to Session cookies (right-click and Save-Target-As Medium+Downgrade3rdParty.xml)
- P3P-Medium for 1st-party cookies; all 3rd-party cookies are permitted but downgraded to Session cookies (right-click and Save-Target-As Allow3rdPartyButDowngrade.xml)
You can play around with the impact of these settings using a little test page which sets first-party and third-party session and persistent cookies; open and close the browser to see how the downgraded 3rd party cookies are cleared.
Internet Explorer provides a great deal of flexibility in controlling your cookies. While you can easily block all cookies, you will quickly find that many websites don't work correctly. It's also important to understand that there are other mechanisms that websites can use to impact your privacy. Features like InPrivate Browsing and InPrivate Filtering go beyond cookie controls to help mitigate other privacy threats. Also, if there are common trackers that you want to restrict (tracker.example.com), you can simply add them to the Restricted Sites zone to prevent them from getting cookies or running script or ActiveX controls.
Until next time,
-Eric
[1] There's no technical means by which the browser can enforce the claims in the P3P statement, because the client has no way to know what a server does with the data it aggregates. However, a government or individual would have grounds to file a lawsuit if it were determined that a website was failing to uphold their declared privacy policy. Update 2/20/2012: See https://blogs.msdn.com/b/ie/archive/2012/02/20/google-bypassing-user-privacy-settings.aspx for further discussion.
[2]The Internet Explorer Enhanced Security Configuration (aka Hardening) applied to Windows Server user accounts sets the P3P Settings for the Trusted Zone to the P3P Medium template.
[3]Internally, the Import button simply parses the XML and calls the function PrivacySetZonePreferenceW in WinINET. The WinINET function stores the settings in the registry under the key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones as the value of the node {AEBA21FA-782A-4A90-978D-B72164C80120} (for first-party cookies) and {A8A88C49-5EB2-4990-A1A2-0876022C854F} (for third-party cookies). If you later click the Default or Advanced button, it will undo the imported privacy policy.