Internet Explorer in XP SP2 RC2

First, I’ll join everybody else in announcing that XP SP2 RC2 is available for download! If you’ve put off installing it, now’s the time to give it a shot and test all of your favorite applications and web sites. Most of the work recently has been on bug fixes, and compatibility fixes in particular. If there’s anything that doesn’t work by now it will probably not work in RTM unless you notify both Microsoft and the vendor (or web site administrator).

Below are a few of the changes in IE for RC2 (since RC1). This list is very incomplete – I’ll try to post a follow-up entry or two to cover some of the changes I missed or that are in areas I’m less familiar with.

Information Bar Updates

When the Information Bar blocks an ActiveX control, the name and publisher are now included in the warning text. If the control has a visible area in the page, similar text will also be shown in that area, and users can right-click in that space to show the context menu to install the control. This change was made to increase discoverability and help the user make a better decision about whether to proceed to the Authenticode dialog.

We also implemented an application compatibility fix to handle the common scenario where a web site detects that the ActiveX installation failed and redirects to an error page. In this case, users will be shown a version of the Information Bar on the redirected page, and clicking the “Install ActiveX Control” menu will navigate back to the page where the control was suppressed and allow the Authenticode dialog to be shown. The end user experience is not smooth, but this unblocks a large number of web pages that were redirecting on failure.

As a last resort, holding down the CTRL key is a universal workaround for pages that have tricky logic that eluded our attempts to unblock something after it’s been suppressed by the Information Bar. This works for ActiveX controls, file downloads, and pop-up windows.

Other minor changes (I don’t recall if these were in the last public release or not):

  • Users will now receive a dialog the first time the information bar is shown so that it is more discoverable, particularly for people who rely on screen readers and may not otherwise be aware that content will be blocked by modeless UI.
  • There’s now a close button on the bar just in case it gets in the way.
  • There are now two independent security zone settings for whether to suppress the ActiveX install prompt and whether to suppress non user-initiated file downloads.
  • When the Information Bar is shown, the cursor briefly changes to an arrow plus the icon that is shown in the bar.
  • We added (and tweaked, and tweaked) sounds for the Information Bar and pop-up blocker.

Manage Add-ons Updates

The Manage Add-ons dialog now shows more useful columns by default, including the name of the add-on, the publisher, and the file that implements the add-on. You can also choose to display columns for additional information such as the CLSID and the folder that the file is located in.

Pop-up Blocker Updates

Jeff Davis can detail the changes here. The primary one that I worked on was to enable ActiveX controls such as Flash launch new windows for user-initiated actions. Previously these were all blocked because IE did not detect mouse clicks or key presses within windowed controls.

New Pet Peeves Fixed

The disappearing status bar bug should be gone for good. We also fixed most of the scenarios where the URL you were typing in the address bar would get stomped or disrupted if a navigation happened while you were typing.

(Edit: Made it clearer that these are just changes made between RC1 and RC2. See the official documentation and other blog entries for a more complete list of changes made in SP2.)

Comments (41)

  1. Seth says:

    Pop-up blocker has a problem in RC2. It blocks the pop-ups, but when you click it the option to "show blocked pop-up" is no longer there (was there in RC1). I’ve noticed the problem on a couple different machines, running XP home & XP Pro, including a fresh install of RC2 and an upgrade from RC1.

  2. Seth, the new option is named "Temporarily Allow Pop-ups", and it effectively does the same thing.

  3. David Candy says:

    Why are you making our lives so hard. What is the need for a popup blocker. If you don’t want the ads from a site don’t visit the site. So simple.

    My paper pops up one popup per day. Big deal. So why are we haveing this marketing drivel shoved down our throats for a problem that doesn’t even exist.

  4. Frank Ledo says:

    I am noticing that popups that never had status bars before, now show status bars, even when they are explicitly turned off in the command.

    Why is this?

  5. Frank, this is by design to help mitigate some UI spoofing attacks.

  6. David Candy,

    Are you insane? Sure, your one site behaves itself. Unfortunately the masses of the world have gone and blown it for you. Insane numbers of popups and pop unders, some with content you really don’t want appearing on your desktop in a workplace — no way, hose.

  7. Emidio says:

    the SP2 RC2 is not rendering XBMP images, hope they fix it, otherwise we’re gonna see a lot of hit counters start to go [X]

  8. Sam says:

    Another pop-up problem when using websites where you have logged in, when you allow the pop-up temporarily, IE refreshes the current page, thus resetting the connection with the server. Ironicly, this happened when I used one of Microsoft training sights, I had completed an online test, 45mins after answering the questions, a popup was blocked, i allowed it, and the page reloaded back to the main front page! lost it all.

  9. Myron says:

    Better of all, leave it to the user to define how windows should appear. There are way too many times that a new explorer window appears with the menus minus the tool bat and everything else, then I am forced to manually turn everything on.

    Ok, so the web designer and/or program would like to have ultimate control of how the browser UI behaves. Fine, but wrong. Leave it to the user. If the user overrides the programmer’s wishes by forcing all the toolbars and the status bat to appear all the time then so be it. If it does not appear right then it’s to the user to alter the option so the programmer’s wishes are honoured.

    If a user does not want pup-ups, fine. If the site does not work properly withput pop-ups then all the user has to do is turn on pop-ups for a site and this is currently in IE6.2.

    Bottom line, the user has the ultimate and final, irrovocable say and control on how the Explorer UI behaves. No more, no less.

  10. Matt Dunham says:

    Ok I recently installed XP SP1a and everything was nice then windows update installed a bucnh of SP2 updates and somehow it disabled all popups from IE so I went and installed ZP SP1 RC2 and set it to enable all popups, and still all popups are still disbaled I have no other popup blocking softweare installed at all I’m 100% positive of that it was only after I recevied SP2 updates for Internet Explorer where this bug occured any help?

  11. flex-mx says:

    For those who still use IE to any extent (hey, I do – although I’m slowly swimming to Firefox) – Tony Schreiner lists upcoming bug fixes in Internet Explorer in XP SP2 RC2 (whose preview is apparently out)……

  12. Myron, I agree and I advocate taking this approach whenever it makes sense (along with reasonable (and safe) defaults).

    However, taking the toolbars in pop-up windows as an example, this is an area where web site compatibility rears its ugly head. For whatever reason, long ago it was decided that web sites could turn off the toolbar and address bar, and now many pages have come to *depend* on that functionality, and will actually break in both subtle and non-subtle ways if it’s changed.

    This just reinforces how important it is to make the right decision the first time around, because once hundreds of millions of users are using your product it can be extremely hard to change the behavior.

  13. Sam, we used to capture and replay popups, but the problem is that some sites script to the popup and would break in other ways if we simply replayed it without refreshing the page.

    These sites will need to be changed, and Microsoft has their own share of them. 🙂

  14. Matt, I’m not sure what to suggest except to check the registry keys that Jeff Davis describes at

    There are no known bugs with the Popup Manager blocking popups when it is disabled.

  15. Christian Koerner says:

    Is there anyway through DHTML to catch that the page has been called from the Information Bar, like an event to listen for?

    Also the Toolbar works mostly OK when the ActiveX component is scripted through JavaScript and redirects to a previeous page, even while I have seen the page loose its ASP.NET viewstate.

    But using panels on the same page, and using postbacks in ASP.NET to do the same thing wrecks havoc on it. Any suggestions?

  16. Garrie says:

    Since when did it becomes Microsofts job to dictate what I can and can NOT do with my websites?

    If I use popups on MY SITES they are for a reason. The sites that use Popups in a bad fashion are sites that are illegal for the most part or adult.

    You saying the "Masses" is utter bull. Its actually only a few sites.

    I see urging EVERYONE to use Netscape or Mozilla now since Microsoft has decided what’s in the users "best interest."

    The ONLY reason you are removing popups is because there are 15 year old high school kids that can out program the security of Windows. But hey, lets make the browser part of the OS and it will be better! Oh wait, this makes it worse because of Windows lack of security.

    Get to work on SECURITY issues and the popup problems will be less.

    BTW: I already wrote a program to turn popups on for people by pushing ONE button and found a away to get around your "blocks." Nice try guys but you can’t program.

  17. Chill out Garrie.

    You advocate people switch to alternate browsers. Well, guess what: they all have pop-up blockers now.

  18. dnl2ba says:

    Garrie, Microsoft is adding the feature because people want it. Surprise: most of us don’t like unsolicited pop-ups!

    SP2 RC2 still lets visitors know that there are blocked pop-ups and gives them the option to open them. Plus, those of you who love pop-ups can disable the pop-up blocker.

  19. Kjell Runde says:

    Any news on when Sp2 comes in norwegian …as i run? Lots of people are not able to test the sp, due to different language setup…..World is a big place…

  20. Darren Stewart says:

    As a browser, IE is nicely integrated in windows. Its tie into the OS offers an up and a down side. I think, and I may be wrong, that inside microsoft, its developers, and its developers whom work outside Microsoft fundamentally do not understand the critical state of the browser.

    If I were running a company with a full AD, Full infrastructure, SMS, SUS, then maybe we would be able to set things up to patch and cover our asses, but we don’t. And we won’t any time soon. And EVEN if we did, the consession that that is the state we are in is a defeatist, apologist, disaster of an ideal.

    How a leading tester of IE can make the comments made at the top of this page show the level of astonishing lack of understanding about the issues surrounding IE outside of Microsoft. How can you really laugh of a state where a company is only offering a fix for its product by an unavailable (read non beta) SP2 package?

    Right now, IE is the biggest hole in Windows. I can’t recommend it to friends, family or business. If I do, I know I’m going to be right there installing patching to any such machine forever. Its taken over from Outlook (a product now nicknamed Lookout by many) as the current security and operational nightmare.

    Its built into your systems guys, its not easily removed, its not easily maintained, its not secure, its a bloody night mare?

    Can you think of another browser that has to have the follwoing installed JUST to have any semblence of hoping to protect the machine?:

    A pop-up blocker



    Full AntiVirus

    And thats before we cover wether people will ever absorb the constant stream of windows updates. The fact that the core is so riddled, and the numbers of updates required by say, dial up users, is now guaranteed to limit take up of your updates.

    I’m not anti-microsoft, BUT dammit, sometimes you guys are your own worst nightmare. In recent months MS has re-iterated that its serious about security. Right now, IE needs to come with a heath warning. It needs major work in education of end users so they can protect themselves. Most users outside of a development or IT enviroment simply are not aware of how bad IE is, and they make assumptions about an application in regard to IE that will lead to their machines being taken. But all of that is because IE is *REALLY* that bad. Its really that riddled, open, bugged.

    Right now, in my company, from the cleaners, the users, right through to Management, there is not a soul who has faith in IE, and thus microsoft. Blithly chalking things down to ‘We suggest you get SP2’ when SP2 is still merely a realease candidate is a wind up.

    Every day of my life is now taken up with windows updates for IE to a large degree, its taken up with removing the junk, backdoors, spyware, adware, browser helper objects, infestations, keyloggers, and you know what, the consensus is always thats its our fault, the end users fault, a lack of security, firewalls, policy, staff behaviour, or that we should change our whole structure by implementing an SP2 that is still only a ‘release candidate’. Thats me, on the arse end of you guys and your ‘development’ between a rock and a hard place.

    Guys, PLEASE PLEASE PLEASE UNDERSTAND that I can’t remove IE. Thats your doing. I can’t goddamn continue to commit workaround after workaround on such a core, broken, bugged component. Is your intention to drive all end users who have any semblence of intelligence away? You do know anyone with a shredd of background info is moving off IE, even if they can’t remove it. People are running to the hills. The browser is just another component like office or otherwise that if you lose on, you lose on it big. People can use Linux from browsing the net, do you want that?

    I no longer give a rats ass about new function in IE. I really mean that. I’m not interested in IE adding more for developers. I want a damned browser that is not the new Outlook. I want it simple, secure, solid. And if your answer is what I am seeing so far, I’m going to take my whole company IT structure, and I swear I’ll get rid of this myself. I don’t care that I may be a small customer, I don’t care wether you read this blog, or take notice of what I have said, I don’t care if no one at MS cares, either you guys get damned serious, right now, or you’re going bye bye.

    I don’t want to say it, but I feel like I’m on the moon screaming at mission control here, and the radio link is out. I’m agnostic in terms of systems, I’ve run and used everything from 286’s throught to AS/400 systems, and IE is an operational and security NIGHTMARE, and no one at MS seems to absorb this. They have taken to writing blogs where they start with ‘I would’nt use anything else’.

    I’d like the whole Dev team charged with IE to be forced to install NOT SOME LATEST BUILD across the MS network, but XP pre or post SP1, and then put themselves in a dial up enviroment, without any other products, and then ask them to spend half a day surfing.

    Throw in a handful of searches for the following:




    At the end of that half a day, examine the cookies, add ins, BHO objects, run ad-aware/spyware removal tools and carry out a check on what changes have taken place merely by using that browser and ONLY the browser.

    My feeling, is each of these developers is living on a corp network, where they get latest machine builds with all the security updates in place. This enviroment is a disaster for me, because I now have the whole dev team coming here and on other blogs saying ‘We really love it and would’nt use anything else.’ Its delusional, its not real world. Its damn scary.

    Add in they are all probably on SP2 now, living on the bleeding edge, while the community of users in the real world is trailing trying to live on SP1, on dial up, in people’s homes, small businesses, where updates are not the priority for people’s general day to day living.

    The next MS staffer who suggests changing my production enviroment with a beta SP2….. no, I’m not going to get angry. I’m trying to be constructive..

    Whatever they do with IE, it should be backward installable back to 2000, I don’t wanna see anymore rubbish about people having to go get SP2 for XP, that is just insane..

  21. joe2287 says:

    Use Mozilla Products firefox and thunderbird and be gone with the hole infested alternative!



  22. Zooplah says:

    The one thing that irritates me is that if you send a proper XHTML document to IE as text/html, it second-guesses your server and tries to parse the document as XML, but MSXML can’t quite understand the DTD and displays an error page. I would really like it if IE could at least recognize XHTML documents as HTML, being that it seems that neither following the HTTP/1.1 specification in this area nor supporting application/xhtml+xml will likely happen any time soon.

    Thanks for listening.

    I’d also like to reply to some of the others who suggested using a different browser. It’s true that Gecko browsers, KHTML browsers and Opera are all better than IE, but hoping to convince all of the ignorant world to switch is naive idealism. So I think we should advocate better browsers, but help Microsoft fix the problems that cause our pages to be totally unintelligable for those that don’t want to or don’t have the permission to switch.

  23. I write a weekly column mostly about Microsoft security problems (and am one of the certified answers.Google researchers) and I have seldom seen a better presentation of what the real problem with IE is than Darren’s "more in sorrow than in anger" plea for more understanding from Microsoft.

    I have to run IE because that’s what I support for my clients but I wouldn’t dream of using Outlook and would REALLY love it if MS provided a stripped down, basic, secure browser which people could choose to run instead of the bloated and twitchy IE. To H with the bells and whistles, offer an alternative for those of us who just want to get our work done.

    Let me emphasize that I’ve never had a real problem but that’s because I am extremely careful – it’s very time consuming to protect a system where IE is in regular use.

    I would use Opera but it has lots of it’s own problems, including four new and different address bar spoofing vulnerabilities in just the past few months.

  24. Kroc Camen says:

    Since when did IE have bells and whistles? It’s just a window with back and forward buttons. How I like it. On a corporate network IE is your mother of all problems, agreed and on regular’s computers it’s also a problem and the last six months the security problems have got insanely bad. But I’m not switching – why?

    I’m an individual IT professional, so of course all I need to do is put the effort in of installing SpyBot, AVG and Google toolbar and I’m pretty much sorted for smooth uninteruppted browsing without hassle other than a weekly windows update which I do anyways. Firefox is possibly the only other browser I’ve seen which actually lets you get on with browsing. I wouldn’t recommend mozilla or Netscape to ANY computer-newbie at all. There are too many menus, too much side pane bollocks and far too many dialogs for this, that and everything else. A frustrated newbie user just wants to view a boody site and MozFireFox and IE are the best for it.

    I do believe that Microsoft have *finally* realised that windows needs sorting out properly otherwise they face a serious threat of losing market share. But don’t expect everything to be hunky dory with a small download tomorrow. Microsoft’s Longhorn is now being re-written ground up as a .NET managed application using new compiler tools to stop stack overflows and the most rudimentary of hacking techniques and the reason MS are saving IEv7 for Longhorn and Longhorn ONLY is that they are going to seriously make use of the Longhorn structure to make IE the browser it should’ve been to start with – standards complient and secure.

    When Microsoft releases Longhorn, it’ll either be the solution to everybody’s problems, secure, reliable and fast or Longhorn will be no better than Windows 98. I would bet money that it’ll be one or the other and nothing in-between.

  25. E-Bitz - SBS MVP the Official Blog of the SBS says:
  26. Todd Baker says:

    It would appear that MS have disabled the view-source: protocol (view-source: as there have been reports of vulnerabilities with notepad (and WordPad if the file size is very large).

    Its a shame that this has been disabled rather than fixed. Mozilla seems to be able to do it ok.

    When I try to load view-source: I get page not found.

    Tony, can you confirm this was changed with SP2? I cant find anything listing this change.

  27. Begin with no fax payday cash advance payday loan in the uk

  28. Dear advance cash day in loan pay uk arabische klingelt�ne