Some of the new stuff in Windows XP SP2

We’re on the home stretch for Windows XP SP2! I can’t begin to tell you what a relief it is to see it almost done.

Anyone, over the next few weeks I want to outline some of the new features in the product.

Ok, here’s the the first, I call it protecting users from themselves.

If you attempt set the default Internet zone security policy to lower than Medium, IE will complain, and set it back to Medium for you 🙂

Sure you can hack the registry, but the point is to protect people from making little mistakes!

Comments (20)

  1. What about something to protect users from hitting the poweroff on their powersupply ^^ maybe 1000 Volt à 10 Ampere 🙂

  2. Michael Howard says:

    hhhmmm, 1000v at 10amps = 10kW; sounds like instant death to me! I’m not sure that’s a good idea!

  3. Michael: Is this true, or a joke?

    If it’s true, then why have any settings lower than medium at all?

    The way I understood it, Trustworthy computing says that things should be safe by default and that we should strive to educate people as to the risks involved in the choices they are presented with.

    I only see part of that here. We set the security policy to high (great!!, first step). We complain (great!!, users have to think about what they’re about to do, and we can educate them at the same time). But then we override their choice! This seems like a very bad thing to me. It seems like this will just aggravate users and cause them to seek out ways to disable security settings "because it gets in my way"

    If we really don’t want them setting the level to "low" or "none", then just don’t include the option whatsoever.

  4. E-Bitz - SBS MVP the Official Blog of the SBS says:
  5. James says:

    I agree with Cyrus. If it’s a complete mistake for anyone, including seasoned pros, to use the UI to adjust the setting to anything less than Medium, then Medium should be the lowest setting.

    To me, having a non-selectable "low" visible to users only undermines the Usability of the dialog and announces to hackers that "hey, there is a low setting out there".

  6. Ben says:

    Protecting users from themselves? Why is it the users fault IE sucks? It is more like protecting users from the software Microsoft ships with flaws.

  7. Mike Kolitz says:

    Michael, was this change introduced after RC2? I see that IE is not letting me change the security from Medium, but it’s not complaining about it – it lets me think that I changed it without saying anything.

    I also agree with Cyrus, though. If ‘Low’ is not selectable through the interface, it shouldn’t be exposed through the interface.

  8. Michael Howard says:

    My guess, and it is a guess (I’d need to speak with the IE UI guys) is if an admin *allows* low by hacking the registry for a specific reason then it would be shown in the UI.

  9. Michael Cook says:

    Thats sounds like a horrible feature for uses. If the user can’t set it, don’t put it in the interface, don’t even have it as a hidden setting. If the average user doesn’t know it’s there, that just opens up an exploit for someone to change a setting the user didn’t know existed.

  10. Jim says:

    "protecting users from themselves"

    It gives me the creeps every time I read a declaration like this. So now it’s the user’s fault, right? The point is that most users that are currently being screwed by IE’s vulnerabilities never changed the zones in the first place. And for the other users who do, we’ll now still give them the lower option but we’ll yell at them when they try to use it. Is that right? Why not just remove the option from the list in the first place?

    It’s sad that it took so long for it to be fixed, but I’m glad it finally did.

  11. Jerry Pisk says:

    Funny, because you’re not protecting the users from themselves when you go Custom and enable downloading and execution of unsafe and unsigned ActiveX controls without asking. Once again, you’re doing a halfa$$ed job at what you’re trying to do. If you guys only invested the time to "protect users from themselves" to protecting them from your bugs.

    I’ve filed this as a bug in SP2 since the feature completely fails to do what’s it supposed to do and I completely agree that if it can’t be selected you shouldn’t make it available for selection.

  12. Ron Green says:

    I agree with Cyrus. Don’t give th use an option he can’t use.

    Amazingly, we don’t have to deal with this in firefox.

  13. Pavel Lebedinsky says:

    I think it’s a good feature. It addresses a real problem with the existing UI – namely, that it’s very easy for users to accidentally shoot themselves in the foot.

    Sure, it could have been more thorough. It doesn’t prevent you from doing stupid things using custom settings. But it’s simple enough to be squeezed into a service pack at the last moment (I think it wasn’t there in RC1), and it addresses the 90% case.

    For all those who say "if users can’t do this, don’t show the option" – think about it. How would you handle the case where settings are set to "low" in group policy? Would you show it as "custom" on the client, or what?

  14. Michael Howard says:

    I think people are reading a little too much into the "protect users" comment I made. Building secure software means many things, from better educated developers, better design, better code, better testing, reduced attack surface and finally, helping the users make good decisions.

    I am *ABSOLUTELY* not blaiming users for anything, and any who knows me will back me up – I am totally in favor of getting as much right up front and not putting the burden on users.

    This change in IE, which is amongst hundreds of other defenses added to XP SP2, is only one.

  15. Jerry Pisk says:

    How is it easy to accidentally change that setting? You have to go through four mouse clicks to change it (and fifth to accept the change), do you know what the chances are of accidental mouse clicks to actually do this by accident? Most users don’t even know there are security zones.

    So once again, Microsoft is doing the wrong thing – it’s assuming ALL of its users are complete idiots that need to be protected from themselves. We’ve seen this with Visual Studio and now we’re seeing it with the rest of their applications. Soon there will be no Cancel buttons, so users can’t accidentally cancel their actions. Choice is a forbidden word at Microsoft…

    And Mike – you don’t build secure software by not allowing users to control it. You build it by fixing bugs (there will always be bugs since nobody’s perfect), and fixing them quick. It’s been a long time in bug fixing terms since was posted, and even a longer time since this issue is known, where’s the fix? I’m repeating myself but we’d be all much better off if you put your energy into protecting users from your issues instead of trying to come up with ways to protect users from their actions.

  16. Michael Howard says:

    >>do you know what the chances are of accidental mouse clicks to actually do this by accident

    again, you are reading too much into my comments. i never said, "by accident"

  17. Peter Torr says:

    Mike: I’m pretty sure that this feature was always there; you just had to have the "Minimum" value in the Registry set correctly. The only thing is that SP 2 changed it from "Low" to "Medium." But I could be on crack…

    Jerry: Perhaps you’ve never been to a website that says "If this page doesn’t load, click Tools->Options->Security and set it to ‘Low’." This feature will protect those users not from themselves so much as from the websites that are giving them bad advice.