Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Internet Explorer security levels compared

Internet Explorer security levels compared

  • Comments 9
  • Likes

A pretty good question came across the newsgroups the other day. Someone was asking what are the differences between IE's "medium" and "medium-high" security settings. I did some digging, and found only this on MSDN: About URL security zone templates. No wonder it's difficult to find -- the terminology is different, and the table is organized by URL actions, not by the text in the dialog.

Someone on the IE security team forwarded me a document that had additional details. So here, for your enjoyment, is a chart listing the default settings for each security level. To answer the newsgroup poster, "medium" and "medium-high" aren't the same.

About the formatting: to get it to fit within the width of the blog's text section, I've made some abbreviations.

Column headings Entries
H High D Disable
MH Medium-high E Enable
M Medium P Prompt
ML Medium-low    
L Low    

In a few cases, the table shows a number rather than D or E or P; below the table is a description of each such entry.

At the very bottom of this post I've included the settings from the privacy tab, too.

Note: these settings reflect those for Internet Explorer 7 on Vista SP1. Please see the MDSN link above for differences between IE 6 and IE 7.

 

.NET Framework

  H MH M ML L
Loose XAML D E E E E
XAML browser applications D E E E E
XPS documents D E E E E

.NET Framework-reliant components

  H MH M ML L
Permissions for components with manifests D 1 1 1 1
Run components not signed with Authenticode D E E E E
Run components signed with Authenticode D E E E E

     1 = High safety

ActiveX controls and plug-ins

  H MH M ML L
Allow previously unused ActiveX controls to run without prompt D D E E E
Allow scriptlets D D D E E
Automatic prompting for ActiveX controls D D D E E
Binary and script behaviors D E E E E
Display video and animation on a Web page that doesn't use an external media player D D D D D
Download signed ActiveX controls D P P P E
Download unsigned ActiveX controls D D D D P
Initialize and script ActiveX controls not marked as safe for scripting D D D D P
Run ActiveX controls and plug-ins D E E E E
Script ActiveX controls marked as safe for scripting D E E E E

Downloads

  H MH M ML L
Automatic prompting for file downloads D E E E E
File download D E E E E
Font download P E E E E

Enable .NET Framework setup

  H MH M ML L
Enable .NET Framework setup D E E E E

Miscellaneous

  H MH M ML L
Access data sources across domains D D D P E
Allow META REFRESH D E E E E
Allow scripting of Internet Explorer Web browser control D D D E E
Allow script-initiated windows without size or position constraints D D D E E
Allow web pages to use restricted protocols for active content D P P P P
Allow web sites to open windows without address or status bars D D D E E
Display mixed content P P P P P
Don't prompt for client certificate selection when no certificates or only one certificate exists D D D E E
Drag and drop or copy and paste files P E E E E
Include local directory path when uploading files to a server D E E E E
Installation of desktop items D P P P E
Launching applications and unsafe files D P P E E
Launching programs and files in an IFRAME D P P P E
Navigate sub-frames across different domains D D D E E
Open files based on content, not file extension D E E E E
Software channel permissions 1 2 2 2 3
Submit non-encrypted form data P E E E E
Use phishing filter E E E D D
Use pop-up blocker E E E D D
Userdata persistence D E E E E
Web sites in less privileged content zone can navigate into this zone D E E E P

     1 = Prohibit downloads from software update channels
     2 = Cache content downloaded from software update channels
     3 = Automatically install software updates

Scripting

  H MH M ML L
Active scripting D E E E E
Allow programmatic clipboard access D P P P E
Allow status bar updates via script D D D E E
Allow Web sites to prompt for information using scripted windows D D E E E
Scripting of Java applets D E E E E

User authentication

  H MH M ML L
Logon 1 2 2 2 3

     1 = Prompt the user for name and password
     2 = Automatic logon only in intranet zone
     3 = Automatic logon with current user name and password

 

Privacy settings (on the "Privacy" tab)

  H MH M ML L
Allow persistent cookies D E E E E
Allow per-session cookies D E E E E
Allow third-party persistent cookies D P P E E
Allow third-party session cookies D E E E E
Comments
  • PingBack from http://www.mariukasm.lt/internet-explorer-saugumo-lygiu-palyginimas/

  • Thanks for sharing this! Very handy to have.

  • HI!    I WISH THIS ARTICLE WAS MADE FOR PRINTER FRIENDLY OPTION. CAN U DO IT? I'LL APPRECIATE IT VERY MUCH!   THANKS!

  • I would be interested to know what setings do you use?  I tend to block third party cookies, and keep the default of medium high.

  • I use the defaults for the Internet security zones. I remove the requirement for https:// in the trusted sites zone. In my privacy settings, I override automatic cookie handling with this: accept first-party, block third-party, always allow session.

  • Thanks for making this table!

    I did find a couple discrepancies though. This was on a fully updated Vista box. I could only check M, MH, and H since ML and L aren't available to reset to.

    Downloads>Automatic prompting = Disabled on MH and M

    Scripting>Allow status bar updates via script=Enabled on M

    Jordan, just copy the table section and paste it into Word. That's what I did so I could make notes on the list.

    Thanks again for the list. I'm trying to troubleshoot a software problem at work. It is definately related to IE security settings, so this helped a lot to check the settings systematically.

  • As a couple of people are looking at their IE currently, I found some interesting information on Steve

  • Very useful ! Thanks :)

    Pingback http://www.winvistaclub.com/forum/windows-vista-tips-tutorials/26462-differences-between-ies-medium-medium-high-security-settings.html#post123248

  • Encontré esta publicación de Steve Riley (experto en seguridad) que compara los diversas configuraciones

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment