Windows Secrets – Protect IE — part two (N/A)

Topic

New Reply

Could you provide a link to whatever you are commenting on? I understand most of what you’re saying, but a more complete picture would be nice.

Reply | Quote

Replies

He’s referring to the latest issue of what used to be Woody’s Windows Watch – WINDOWS SECRETS NEWSLETTER (formerly Woody’s Windows Watch and Brian’s Buzz on Windows) ISSUE 42

Reply | Quote

I only read about half of what I’m subscribed to. And I’m not even subscribed to that one.

Reply | Quote

Humorously (or maybe it is ‘sadly’), I try to read most of Woody’s newletters. Having Brian at the helm is a little different and I am still not sure I like the ‘combination’ idea. I had to vent after this one, so I chose this forum. Hope it is OK! ;-]

Reply | Quote

There are some aspects of the Local Machine Zone advice that do seem to make some sense. So I have been giving it a test run. It does seem, however, that an end result is that opening links in my browser now takes forever and a day – even if it is to a Trusted Site. Do you have any clear understanding which setting affects this? The apps in question are all non-M$, with the sources being a mail client and a text editor. In fact, the text editor white-screened on a 1 Gb RAM machine.

I do agree that Brian’s style is very much different from any of the previous incarnations of Woody’s e-zines; right down to the “commercials” being more intrusive. Even TNPC seems more like a Woody product!

Reply | Quote

Hmmm… I am not sure why that would occur. On the surface, I don’t see a clear relationship. To solve that I might use something like FileMon and RegMon from Sysinternals and see what was really happening during the slow down. Perhaps something is being repetitively accessed for some data that it cannot get?

Norton/Symantec is a developer that uses a lot of Local Machine ActiveX. I have heard that sp2 breaks a lot of their programs, and perhaps this is the mechanism?? I have been purposefully dragging my feet installing sp2 — my computer has been ‘safe’ for years.

Reply | Quote

>Norton/Symantec is a developer that uses a lot of Local Machine ActiveX

You may (conceivably) have something there – as I do have NAV running. (No other Norton products, however.)

It’s not an SP2 issue. (My extra hard disk connects by FireWire and will not (as yet) function under SP2. Thus I have deinstalled SP2.)

Reply | Quote

>Norton/Symantec is a developer that uses a lot of Local Machine ActiveX

You may (conceivably) have something there – as I do have NAV running. (No other Norton products, however.)

It’s not an SP2 issue. (My extra hard disk connects by FireWire and will not (as yet) function under SP2. Thus I have deinstalled SP2.)

Reply | Quote

Hmmm… I am not sure why that would occur. On the surface, I don’t see a clear relationship. To solve that I might use something like FileMon and RegMon from Sysinternals and see what was really happening during the slow down. Perhaps something is being repetitively accessed for some data that it cannot get?

Norton/Symantec is a developer that uses a lot of Local Machine ActiveX. I have heard that sp2 breaks a lot of their programs, and perhaps this is the mechanism?? I have been purposefully dragging my feet installing sp2 — my computer has been ‘safe’ for years.

Reply | Quote

There are some aspects of the Local Machine Zone advice that do seem to make some sense. So I have been giving it a test run. It does seem, however, that an end result is that opening links in my browser now takes forever and a day – even if it is to a Trusted Site. Do you have any clear understanding which setting affects this? The apps in question are all non-M$, with the sources being a mail client and a text editor. In fact, the text editor white-screened on a 1 Gb RAM machine.

I do agree that Brian’s style is very much different from any of the previous incarnations of Woody’s e-zines; right down to the “commercials” being more intrusive. Even TNPC seems more like a Woody product!

Reply | Quote

Humorously (or maybe it is ‘sadly’), I try to read most of Woody’s newletters. Having Brian at the helm is a little different and I am still not sure I like the ‘combination’ idea. I had to vent after this one, so I chose this forum. Hope it is OK! ;-]

Reply | Quote

I only read about half of what I’m subscribed to. And I’m not even subscribed to that one.

Reply | Quote

He’s referring to the latest issue of what used to be Woody’s Windows Watch – WINDOWS SECRETS NEWSLETTER (formerly Woody’s Windows Watch and Brian’s Buzz on Windows) ISSUE 42

Reply | Quote

I am not entirely sure of my take on Brian’s article.

“What Microsoft suggests, which is absurd ” – states that MS “recommends that Windows users change the security settings of the so-called Internet Zone in Internet Explorer to ‘High.’ ” I am not sure that this is really absurd. In fact, later in the same article Brain recommends:

“To make your Internet Zone more secure, pull down the Tools menu in IE, then click Internet Options and select the Security tab. Select the Internet Zone, then click the Custom Level button. In the dialog box that appears, change the following settings to the values shown: (All items are essentially set to “Disable”).” There in lies the inconsistency!

Brian says that Microsoft’s idea is absurd, but then he recommends to MANUALLY accomplish the exact same goal. So is it absurd to make all the necessary changes in a few clicks (set the zone to “High”), or it is absurd to manually change 19 different items in a drop down list?? I think your time is better served if you follow Microsoft’s advice; the end result is essentially the same. You can always open the Configure dialog box later and make fine adjustments.

Next he recommends locking down the My Computer (aka Local Machine) zone. Perhaps things have changed significantly over the past year or two, but on our previous trials locking down the Local Machine zone had the undesirable side effect of stopping many programs from running correctly. The most blatantly obvious one was Windows Explorer. Why? Because WE is a close brethren to IE, and WE uses ActiveX to display some of its more complicated features. In fact, ActiveX is used by many programs that you have installed on your computer. So, shutting down Active Content in the Local Machine zone may not be ideal for many users.

It is conceivable that MS and other vendors eliminated ActiveX in their new programs, but this article is supposed to be addressed to users that DON’T have WinXP — and are likely those that don’t have the most up-to-date computers.

I agree completely with adding sites that you trust and visit regularly to the Trusted sites zone — that is the whole point behind Zone security. That is what you are supposed to do! However, using Jason’s Trust Setter is a better option than the one Brian gives. (http://www.jasons-toolbox.com)

After ALL the crap that has happened to user’s computers over the past year, can ANY ONE argue that the “Internet” should NOT be Restricted??? How many more “Browser Hijacks” and “Drive-by Downloads” do you need to see?? The ‘basic’ Internet should always be considered Restricted — that may be sad, but it is definitely true. If you trust a site and want it to use Active Content, then add it to your Trusted sites!

Lastly, this is sort of bogus — or at least a little out of date:

“Many programs other than IE, such as Microsoft Outlook and Outlook Express, use IE’s rendering engine to write to the screen, etc. Changing the security settings of the Internet Zone also strengthens these applications, making it safer for you to read e-mail and use these programs in other ways.”

Well, not long ago MS corrected the problem of having its Email Clients opening mail in the Internet zone. The default has been Restricted sites for a long time now. Check your computer right now. So, changing the Internet zone security settings has NO effect on your Email security, unless you have specifically reassigned your Email to the Internet zone (Not recommended). Furthermore, any ActiveX or Scripting these clients do that don’t involve an open Email would be done in the Local Machine (My Computer) zone — because they installed on your Local Machine. Therefore, modifications to the Internet zone security settings AGAIN would not come into play…. FWIW.

Reply | Quote

> ActiveX is used by many programs that you have installed on your
> computer. So, shutting down Active Content in the Local Machine
> zone may not be ideal for many users.

With ActiveX scripting set to “prompt”, all of the .chm html
help files, for Excel, Word, etc, all take extra clicks to open and
navigate around in.

How do I add these to the Trusted Zone? I tried different ways of
entering the path/filename, but kept striking out.

TIA,

Andy

Reply | Quote

> ActiveX is used by many programs that you have installed on your
> computer. So, shutting down Active Content in the Local Machine
> zone may not be ideal for many users.

With ActiveX scripting set to “prompt”, all of the .chm html
help files, for Excel, Word, etc, all take extra clicks to open and
navigate around in.

How do I add these to the Trusted Zone? I tried different ways of
entering the path/filename, but kept striking out.

TIA,

Andy

Reply | Quote

You have come up against the Catch-22. You would have to put your Local Machine into the Trusted Zone – which defeats the object of the exercise in resetting the Security Levels! Naturally, if there were some way you could certify individual files as being trustworthy, then you could resolve the issue. AFAIK certification at that kind of level is not available. HTH

Reply | Quote

Alternatively, a much easier solution is just to switch to Firefox or some other alternative browser…

Reply | Quote

Alternatively, a much easier solution is just to switch to Firefox or some other alternative browser…

Reply | Quote

Uising Firefox is not really a solution for the Local Machine zone — which is a significant part of the newsletter.

Yes, there is the Catch-22: as I stated above, if you restrict the Local Machine (My Computer) zone then MANY things do not work correctly on your computer. I do not see this as a viable, long term solution. It is “cutting off your nose to spite your face” — or something like that!

And Unk points out, there is no “fine-grained” control that one could use to set specific restrictions on certain ActiveX controls. Think of the VAST IMPROVEMENT that would be! Let’s say you wanted to restrict MOST ALL ActiveX controls in the Internet zone, but you wanted to let Acrotbat Reader run. You can’t do it! It is all or nothing: either ALL ActiveX is allowed, or none.

There are two small caveats, but there is MINIMAL security in those! You can specifically restrict the Downloading of “Unsigned” controls and you can can block controls that are not marked “Safe”. But… there is no ActiveX police! Th author of the control is responsible for marking the control “Safe” — sort of like letting the wolf guard the hen house. There is a scant more safety (perhaps) with downloading only “signed” controls, but I have little faith that advertising companies don’t have signatures, or that the really bad guys can’t fake them or steal them! So, I would not trust my computer solely to these restrictions…

SpywareBlaster is an Excellent tool at blocking some of the really bad controls, but it suffers from the same problem as AntiVirus programs — it relies on a definition list. Once the control makes the list, all the creator has to do is modify ONE LITTLE BIT — and the control has a completely different Class Identifier, thereby avoiding detection by SpywareBlaster. Don’t get me wrong, I love SpywareBlaster, but one has to understand its limitaions.

Reply | Quote

Uising Firefox is not really a solution for the Local Machine zone — which is a significant part of the newsletter.

Yes, there is the Catch-22: as I stated above, if you restrict the Local Machine (My Computer) zone then MANY things do not work correctly on your computer. I do not see this as a viable, long term solution. It is “cutting off your nose to spite your face” — or something like that!

And Unk points out, there is no “fine-grained” control that one could use to set specific restrictions on certain ActiveX controls. Think of the VAST IMPROVEMENT that would be! Let’s say you wanted to restrict MOST ALL ActiveX controls in the Internet zone, but you wanted to let Acrotbat Reader run. You can’t do it! It is all or nothing: either ALL ActiveX is allowed, or none.

There are two small caveats, but there is MINIMAL security in those! You can specifically restrict the Downloading of “Unsigned” controls and you can can block controls that are not marked “Safe”. But… there is no ActiveX police! Th author of the control is responsible for marking the control “Safe” — sort of like letting the wolf guard the hen house. There is a scant more safety (perhaps) with downloading only “signed” controls, but I have little faith that advertising companies don’t have signatures, or that the really bad guys can’t fake them or steal them! So, I would not trust my computer solely to these restrictions…

SpywareBlaster is an Excellent tool at blocking some of the really bad controls, but it suffers from the same problem as AntiVirus programs — it relies on a definition list. Once the control makes the list, all the creator has to do is modify ONE LITTLE BIT — and the control has a completely different Class Identifier, thereby avoiding detection by SpywareBlaster. Don’t get me wrong, I love SpywareBlaster, but one has to understand its limitaions.

Reply | Quote

> Naturally, if there were some way you could certify individual
> files as being trustworthy, then you could resolve the issue.
> AFAIK certification at that kind of level is not available.

When I tried to enter a file into the Trusted Zone, I got an error
message that included:

You have entered an invalid wildcard sequence.

Examples of valid patterns:

file:localsvrshare

It sounded like *some* kind of file would be permissible, so I fooled
with things like – file:*.chm, *.chm , *.chm, C:*.chm, etc.

Guess not, as you said.

oh well

Andy

Reply | Quote

You have come up against the Catch-22. You would have to put your Local Machine into the Trusted Zone – which defeats the object of the exercise in resetting the Security Levels! Naturally, if there were some way you could certify individual files as being trustworthy, then you could resolve the issue. AFAIK certification at that kind of level is not available. HTH

Reply | Quote

>> Next he recommends locking down the My Computer (aka Local Machine) zone. Perhaps things have changed significantly over the past year or two, but on our previous trials locking down the Local Machine zone had the undesirable side effect of stopping many programs from running correctly. <<

You are soooo right! Unfortunately, I'm real late coming in on this subject. I didn't get around to reading that newsletter until a couple of weeks ago and I haven't been regularly reading messages in this form. I implemented Brian's suggestions and I was locked out of nearly everything! It isn't easy to add all the necessary addresses to the Trusted Zone, but that is the smallest part of the problem. After I increased the security in the My Computer zone, I could not get into this forum to ask about it! And I could not download Firefox to get out of the problem. And the My Computer zone does not have an active Default button to return you to an acceptable state. For a long while I didn't have any idea that the changes in the My Computer zone was causing the problem so I didn't go in there and change the settings. I asked about the problem on a CompuServe forum and nobody there seemed to have read that newsletter or had any idea why I had followed such ridiculous advice! I finally changed the My Computer zone settings to some basically wide open settings and now I can get in here. I don't know what settings should really be used there, but I've downloaded and installed Firefox and I'll probably use it whenever I can at this point. Anyway, I think it is a real shame for Woody to be associated with a newsletter that would give such ridiculous advice.

Bill

Reply | Quote

Something that was implicit (rather than explicitly stated) in what the Newsletter said was that it effectively involved changng the Registry. It did specifically point you to which Registry key was in point. Thus, I backed up/exported the Registry key before I changed it and was able to change it back. You can try exporting the settings from a similar set-up. As ever, back up your exisiting settings first! HTH

Reply | Quote

It didn’t occur to me that the settings themselves were stored in the registry! It makes sense. I did change the registry to make the “My Computer” zone visible but I didn’t pay any attention to what the other settings near it looked like. I guess you are suggesting that they contain the actual settings. I’ll compare that section of my registry with the same one, if it exists, in my wife’s PC which is running Win98. I suspect they will be different but maybe not if she is also running IE 6.

Thanks for the suggestion.
Bill

Reply | Quote

It didn’t occur to me that the settings themselves were stored in the registry! It makes sense. I did change the registry to make the “My Computer” zone visible but I didn’t pay any attention to what the other settings near it looked like. I guess you are suggesting that they contain the actual settings. I’ll compare that section of my registry with the same one, if it exists, in my wife’s PC which is running Win98. I suspect they will be different but maybe not if she is also running IE 6.

Thanks for the suggestion.
Bill

Reply | Quote

Something that was implicit (rather than explicitly stated) in what the Newsletter said was that it effectively involved changng the Registry. It did specifically point you to which Registry key was in point. Thus, I backed up/exported the Registry key before I changed it and was able to change it back. You can try exporting the settings from a similar set-up. As ever, back up your exisiting settings first! HTH

Reply | Quote

>> Next he recommends locking down the My Computer (aka Local Machine) zone. Perhaps things have changed significantly over the past year or two, but on our previous trials locking down the Local Machine zone had the undesirable side effect of stopping many programs from running correctly. <<

You are soooo right! Unfortunately, I'm real late coming in on this subject. I didn't get around to reading that newsletter until a couple of weeks ago and I haven't been regularly reading messages in this form. I implemented Brian's suggestions and I was locked out of nearly everything! It isn't easy to add all the necessary addresses to the Trusted Zone, but that is the smallest part of the problem. After I increased the security in the My Computer zone, I could not get into this forum to ask about it! And I could not download Firefox to get out of the problem. And the My Computer zone does not have an active Default button to return you to an acceptable state. For a long while I didn't have any idea that the changes in the My Computer zone was causing the problem so I didn't go in there and change the settings. I asked about the problem on a CompuServe forum and nobody there seemed to have read that newsletter or had any idea why I had followed such ridiculous advice! I finally changed the My Computer zone settings to some basically wide open settings and now I can get in here. I don't know what settings should really be used there, but I've downloaded and installed Firefox and I'll probably use it whenever I can at this point. Anyway, I think it is a real shame for Woody to be associated with a newsletter that would give such ridiculous advice.

Bill

Reply | Quote

I am not entirely sure of my take on Brian’s article.

“What Microsoft suggests, which is absurd ” – states that MS “recommends that Windows users change the security settings of the so-called Internet Zone in Internet Explorer to ‘High.’ ” I am not sure that this is really absurd. In fact, later in the same article Brain recommends:

“To make your Internet Zone more secure, pull down the Tools menu in IE, then click Internet Options and select the Security tab. Select the Internet Zone, then click the Custom Level button. In the dialog box that appears, change the following settings to the values shown: (All items are essentially set to “Disable”).” There in lies the inconsistency!

Brian says that Microsoft’s idea is absurd, but then he recommends to MANUALLY accomplish the exact same goal. So is it absurd to make all the necessary changes in a few clicks (set the zone to “High”), or it is absurd to manually change 19 different items in a drop down list?? I think your time is better served if you follow Microsoft’s advice; the end result is essentially the same. You can always open the Configure dialog box later and make fine adjustments.

Next he recommends locking down the My Computer (aka Local Machine) zone. Perhaps things have changed significantly over the past year or two, but on our previous trials locking down the Local Machine zone had the undesirable side effect of stopping many programs from running correctly. The most blatantly obvious one was Windows Explorer. Why? Because WE is a close brethren to IE, and WE uses ActiveX to display some of its more complicated features. In fact, ActiveX is used by many programs that you have installed on your computer. So, shutting down Active Content in the Local Machine zone may not be ideal for many users.

It is conceivable that MS and other vendors eliminated ActiveX in their new programs, but this article is supposed to be addressed to users that DON’T have WinXP — and are likely those that don’t have the most up-to-date computers.

I agree completely with adding sites that you trust and visit regularly to the Trusted sites zone — that is the whole point behind Zone security. That is what you are supposed to do! However, using Jason’s Trust Setter is a better option than the one Brian gives. (http://www.jasons-toolbox.com)

After ALL the crap that has happened to user’s computers over the past year, can ANY ONE argue that the “Internet” should NOT be Restricted??? How many more “Browser Hijacks” and “Drive-by Downloads” do you need to see?? The ‘basic’ Internet should always be considered Restricted — that may be sad, but it is definitely true. If you trust a site and want it to use Active Content, then add it to your Trusted sites!

Lastly, this is sort of bogus — or at least a little out of date:

“Many programs other than IE, such as Microsoft Outlook and Outlook Express, use IE’s rendering engine to write to the screen, etc. Changing the security settings of the Internet Zone also strengthens these applications, making it safer for you to read e-mail and use these programs in other ways.”

Well, not long ago MS corrected the problem of having its Email Clients opening mail in the Internet zone. The default has been Restricted sites for a long time now. Check your computer right now. So, changing the Internet zone security settings has NO effect on your Email security, unless you have specifically reassigned your Email to the Internet zone (Not recommended). Furthermore, any ActiveX or Scripting these clients do that don’t involve an open Email would be done in the Local Machine (My Computer) zone — because they installed on your Local Machine. Therefore, modifications to the Internet zone security settings AGAIN would not come into play…. FWIW.

Reply | Quote