IE in XP SP2 (Part 2): Information Bar – Stopping the modal dialog madness

See Also: Part 1: Authenticode – No and never again!

The Information Bar is a new piece of UI that shows up when potentially dangerous actions on a page have been blocked. It appears between the toolbar and the content window, and looks a bit like the bar that appears in Outlook 2003 and MSN 8/9 to block images from email messages.

The following are some of the actions blocked by the Information Bar.

ActiveX Install Prompts

In Part 1 I discussed some of the changes made to Authenticode to enhance usability and allow you to block publishers you don’t trust. What I didn’t mention is that in most cases you won’t even see the dialog anymore, because the Information Bar will appear first!

If you’re like me, you’re wary about installation dialogs for a couple of reasons. First, there’s always the possibility you might miss-click and accidentally install something that could be spyware/malware. Next, even though you know not to install unsolicited software, do your friends and family that use your computer understand this? Also, what happens when they stray from mainstream sites and reach a malicious page that bombards them with multiple ActiveX install prompts in an attempt to trap them into installing the software? We’ve changed some of the plumbing for Authenticode to help prevent multiple prompts, and you can now hold down Esc to both cancel the dialog and stop loading the page, but the the Information Bar goes further by simply not showing the dialog unless you request it.

When you click the bar you’re presented with a menu from which you can install the ActiveX control. This temporarily turns off the block and refreshes the page, at which point you will get the Authenticode dialog.

One case that will bypass the Information Bar in this scenario is when a page is using a control that is newer than the one you already have installed. Since you have already trusted the software we permit the Authenticode dialog to show immediately in order to promote upgrades, particularly because upgrades often contain security fixes. A control will only be considered an upgrade if it uses the same CLSID as a control that is installed and it has been signed with the same certificate as the installed control. This helps prevent malicious sites from bypassing the Information Bar by making their control look like an upgrade.

Non-user-initiated Download Prompts

Like ActiveX, if a page tries to push a file download on you, again raising the possibility that you will run (or save and later run) unsolicited software, it will be blocked by the Information Bar. The logic for whether to block downloads is similar to the logic for blocking pop-up windows, so if you directly click a link you’ll get the file download dialog unimpeded. Some download sites will have to adapt to this new behavior.

On a side note, we have also turned on the option to verify the signature on certain types of files such as EXEs. This means that when you run software from the download dialog you may get a secondary prompt that shows the same information as the Authenticode dialog (i.e. name and publisher from the digital signature). This prompt helps certify that the file is, indeed, from who it says it is from. File attachments in Outlook Express and a few other scenarios will get the same treatment.

Blocked Pop-up Windows

As with blocked downloads, Jeff Davis is much more qualified to talk about this, but I’ll mention a couple of things.

First, the pop-up blocker is now on by default! When a pop-up window is blocked the Information Band will appear, and from there you replay the pop-ups, always allow pop-ups for the site, and configure the pop-up blocker. The first thing I do from here is turn off the Information Bar for pop-ups. They’re so common, and so infrequently wanted, that I prefer the lighter weight option of just showing the status bar icon.

ActiveX Control Blocked Errors

If you’ve ever tried to browse the web with elevated security settings (or on Windows 2003 server) you know that it can be a frustrating experience because of the frequent message boxes stating that “An ActiveX control has been blocked…”. Now this’ll be pulled into the Information Bar, giving you a less intrusive user experience. Unlike most of the other items in Information Bar, this is not actionable. There is currently no way to temporarily lower your security settings to get the ActiveX install prompt.

This also means that if you’re really paranoid, install the interesting/useful ActiveX controls like Flash, and then to go “Tools/Internet Options…”, “Security” tab, “Custom Level” (for Internet), and set “Download signed ActiveX controls” to Disable. Now you have no chance of accidentally installing ActiveX controls and the browser is still usable.

Local Machine Zone Lockdown

Local Machine Zone Lockdown is one of the most impactful security mitigations in IE for XP SP2. It deserves an entire blog entry (or several), but, briefly, LMZ Lockdown affects the explorer.exe and iexplore.exe processes, and places severe restrictions on on things such as executing script and running ActiveX controls in the local machine zone (i.e. a local .html file). When the lockdown is in effect you will see the Information Bar with a menu item that lets you temporarily disable the lockdown by reverting to the old Local Machine Zone settings for that instance of the browser.


That’s all for now. Note that there may be more (or fewer) actions blocked by the Information Bar in the future, and I haven’t necessarily covered them all.

In designing and building these IE security features we’ve spent a lot of time trying to find the right balance between allowing sites to do what they need (preserving site compatibility), and giving the users more control. This is a very fine line; anything we do to stop the “bad guys” also has the potential to break the “good guys” if they are doing something similar, but for legitimate reasons. Between now and RTM you can expect site compatibility to get a bit better as we implement (safe) workarounds for common scenarios, but if you’re a web developer you should not rely on it.

Do you think this will make browsing the web more secure? What about reducing the proliferation of spyware/malware?

Comments (37)

  1. Jerry Pisk says:

    ActiveX control will be considered an upgrade only if it’s signed with the same certificate? Is Microsoft saying that once you buy a certificate you only have a year (or two) to finalize your code because once you renew your certificate (effectivelly creating a new one) it will not be considered an upgrade to an existing control?

  2. I should be more precise: we check that the certificate is from the same issuer, and issued to the same subject. This should allow for renewals.

  3. Jerry Pisk says:

    Thanks for the clarification, that makes a lot more sense.

  4. Oleg says:

    How about tabbed browsing ? Will IE now have tabbed browsing ?

  5. Anonymous says:

    Oleg Dulin :: Microsoft to Catch Up with Mozilla

  6. JC says:

    Will Microsoft update IE’s CSS rendering? IE’s poor CSS rendering is a significant hindrance to all web designers / developers who try to make W3C standards-compliant markup.

  7. JD on MX says:

    IE/XP sp2 changes: Windows XP is in final testing changes for a significant new updater, and "jeffdav" or Microsoft details how Internet Explorer will change. New window propagation sounds similar to previous implementations: a new window can be opened only…

  8. Oleg and JC – I can’t comment on future features, sorry.

    However, for tabbed browsing you can use Avant Browser or MyIE2, two good browsers that host the IE web browser control.

    Also, unless somebody beats me to it, later this week I’ll describe how to enable the new IE security mitigations and UI such as the Information Bar for 3rd party browsers such as those.

  9. José Jeria says:

    Is there any chance that any of these bugs will be fixed for the final Service Pack2?

    A simple no would be better than just ignoring all the post asking for better standards support, transparent png etc

  10. I just removed the blue e from my quick launch menu. And i replaced it with a little FireFox icon, mainly for the Tabbed browsing but also for the cool plugin abilities and increased browsing security. Thanks you microsoftees.

  11. Microsoft has made the Windows XP SP2 "preview" available for downloading, this is a look at what will be happening…

  12. José, see my comment just prior to yours. For XP SP2, security work was the priority. Beyond that I can’t comment on CSS, PNG, or other standards support.

  13. David M. Kean says:

    Can you please explain why Local Machine is locked down more than a site in the Internet zone?

  14. David, I’m considering doing a more in-depth post on this later but I need to do some asking around first since I don’t know much about that feature.

    I suspect it’s because you can do more within the same zone than across zones, even with the same permissions. This means once an attacker can stick their foot in the door and get into the LMZ, even with internet-level permissions they could roam around in that zone and potentially find another exploit that lets them do something more harmful.

    It’s all about defense in depth.

  15. JC says:

    If there is an activex download initiated by the user, can a developer avoid the information bar?

  16. JC, currently there is no such thing as an ActiveX control install directly initiated by the user. The only alternative right now is to package the control in a small exe-based installer and do a regular download.

    This is a scenario we continue to think about.

  17. Sean says:

    Is LMZ lock-down the default setting? Or does one have to choose to lock it down?

    Where do the "old local machine zone settings" come from? They’re not available for users to set in Tools | Internet Options | Security.

  18. Sean says:

    You say "… a menu item that lets you temporarily disable the lockdown…"

    Can you define "temporarily" ?

    Does that mean click the "override" menu item once, and you get to view one local HTML file… and to see another local HTML file you have to click the menu item AGAIN?

    How does a user disable the LMZ lockdown for an entire browsing session? This is essential for anyone who needs to locally view browser-based app’s… such as online training.

  19. JC says:

    I have an page that downloads an activex object. I now have it to where it waits for the user to click on the information bar. The problem is that when the user clicks on the information bar, IE refreshes, giving me the "The page cannot be refreshed without resending the information" dialog.

    I’ve tried setting the cacheability, etc., but it seems that IE invalidates the cache regardless.

    How am I supposed to get around this?

  20. I recommend moving the ActiveX install earlier in the process, on a page that does not require posting information back to the server.

  21. Sean, temporarily means it only lasts for that session of IE. Once you exit that instance of the browser you would have to click again.

    Local browser-based apps that are hosted in IE and require script should use the "mark of the web" as described in the XP SP2 documentation. They can also be configured to run un an HTA or other host.

    The last resort would be to disable this security mitigation using the registry keys.

  22. TheICrow says:

    that means clicking over and over for any html-based local content (like html-help). screw’em, i wan’t to decide for myself balance of usability – security.

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_LocalMachine_Lockdown

    setting REG_DWORD values to 0 disables LMZ lock-down.

    do i have to spend hours hacking the registry for having some, at least partially, useable OS? some more suprises like this one and next there’s *nix or a Mac.



  23. TheICrow, the solution is to use the Mark of the Web on local content, or host it in another container such as an HTA. For things like standard HTMLHelp, this is already the case.

    I’ve been using SP2 on my main home and work machines for several months now, and haven’t encountered LMZ lockdown very often, especially with the newer builds. The exception is when testing web pages locally before putting them up on a server.

    In recent builds there is a new setting, "Allow active content to run in files on my computer" under Internet Options / Advanced / Security. This will keep you from having to mess with the registry.

  24. Developer says:

    The Information Bar does not appear when a web site tries to install an ActiveX control on a XP SP2 Professional machine . If a different user logs into the same machine, it does. All the security settings are the same in both the cases. What could be the reason for this behavior?

  25. Developer, is the user an Admin? Non-admins typically can’t install ActiveX controls. In future releases we will improve the error handling for the non-admin scenario.

  26. Mike says:

    well, that’s too late.

    IE made me sick -> switched to firefox on friday.

  27. João Amaro Lagedo says:

    Ok one more FireFox Nazy, tabbed Brosing + Pop Block + extensions + W3C = Firefox

  28. MS says:

    Am I the only one that finds the "Information Bar" just as annoying as the modal prompt for "ActiveX is disabled. The web page may not display properly" …?

    When you disable download of ActiveX controls, you should have the option of disabling the Information Bar entirely, or maybe displaying a icon on the status bar as it does for Pop-Ups.

    I find the information bar just as intrusive. Also, if you don’t know how to change it’s default sound for ActiveX blocks, it’s enough to drive you crazy mad…

  29. Q Daily News says:

    I love the new popup killer that’s part of the Windows XP Service Pack 2 updates to Internet Explorer, but I have a question. Is there a way to tell IE that, for specific websites, you don’t want the Information…