Security Menu: This menu controls the security settings for various "zones". The most important of these is the Internet Zone, as that's where most of the mayhem occurs. So, I assume for the purposes of setting recommendations we are talking about the Internet Zone. Generally, it is enough to set the security level for the Internet Zone to "High" (Click Tools, Internet Options, then the Security tab in the menu that comes up. Select Internet Zone (the icon looks likea globe and select Custom Settings). In the custom tab at the bottom, click the drop menu and select "High". Then click the Reset button and answer "Yes" to the prompt asking you if you are sure you want to change this setting. If this causes objectionable problems, find the item on the menu called "Active Scripting" and set this to "Enable".
Internet Explorer (and, in fact, Windows itself) allows you to set four distinct "zones" (actually, five, but I won't get into that now), and have a separate set of security rules for each zone. All zones have the same security options, discussed below. In theory, the idea is that you can put sites you trust completely in the Trusted Sites Zone (the green globe icon in the security menu) and specify individual sites you trust. Sites which you specifically distrust would go in the Restricted Sites Zone (the red globe in the security menu), which, by default, has the most restrictive security settings. Sites and resources stored on your local network would be treated under the rules of the Intranet Zone, which has fairly lax security settings. Finally, anything that isn't covered under any of the three zones above would be treated by the security settings under the Internet Zone, which, by default, also has fairly lax security settings. Needless to say, this idea works a lot better on paper than it does in the real world.
What this means to you is that, if you do choose to continue using Internet Explorer rather than use a safe web browser (which means virtually anything other than IE), you should set your Internet Zone's security to High as discussed above, and add a few, completely trusted sites to the Trusted Sites Zone, such as the Windows Update sites discussed in the 8-step plan, or some sites located within your workplace. It is never a good idea to allow sites you don't trust completely, or sites which make use of third-party advertisers or services, to run with medium or low security settings.
Also, the settings below are for IE6 Service Pack 1. Older versions of IE typically have fewer security controls or different wording.
Download Signed ActiveX controls -
Your
browser is authorized to download ActiveX
programs from websites. An ActiveX control is a small,
executable program. You can disable this entirely
(recommended), enable it, or allow you to be prompted,
which is the default setting for IE 6.
A signed ActiveX control has a "certificate" that
comes with it. It's basically an encryption key that,
in theory, "proves" that the person or site providing
the download has been positively identified. The
primary reason for certificates is to prevent any
13-year-old from creating malware and allowing it to
intall via IE. However, the vast majority of spyware,
adware, and some other kinds of malware has been
certificated by Microsoft. Also, one can create their
own certificates. So, this essentially provides no real
security.
This should absolutely NEVER be set to anything other
than Disable.
Download Unsigned ActiveX -
Same as above, but without
even the trivial protections of a certificate. Again,
this should absolutely NEVER be set to anything other than
Disable.
Script ActiveX controls marked safe for scripting -
Allows ActiveX script to run, often preparatory to
installing one from a website. Disabling this can be
useful if you've already added the ActiveX controls
you want (Shockwave, Flash, etc.) and, along with
disabling downloads and enabling the running of
Activex (next), allows you to pretty much "keep things
as they are." Still not very safe, though, and best
set to Disabled.
Run ActiveX controls and plug-ins -
Allows ActiveX controls to run. This is primarily for
the likes of Flash and Shockwave. Most kinds of
malware, once installed, do not need to run as
ActiveX objects, so this setting has less of an effect.
But for maximum security, set this to Disable.
Download files -
Allows or prevents you from downloading files.
Download fonts -
Allows websites to give you fonts necessary to
properly view pages using non-standard fonts and character sets. I'm not aware of any security problems, past or present, involving this.
Microsoft VM -
Java Virtual Machine or VM is
Microsoft's clone of Sun's Java. Microsoft lost a
copyright-infringement suit last year and was forced
to cease offering JVM with Windows. If you already had
it, it won't be uninstalled, but fresh copies of
Windows XP with SP1 and later won't have it. Which is
a good thing, too. JVM is very insecure, and, although
Sun's Java also had a lot of the same issues as JVM,
Sun tends to fix things VERY quickly. More
importantly, since it was not native to Internet
Explorer, few exploits (such as the CWS/CoolWebSearch
series of trojans) affected Sun Java.
Anyway, this setting controls safety. This should
always be set at disabled, since few sites use Java
content anyway and those that do can make use of Sun
Java if you have it installed.
Access Data sources across domains -
Basically, you can't
make use of webpages, graphics, etc. that lie on
another domain if this is disabled.
Should ALWAYS be set to Disabled.
Allow META REFRESH -
Allows websites to redirect your
browser somewhere else after a certain period of time.
There are a few legitimate websites that use this,
but VERY few.
Allow mixed content -
Allows you to view webpages
with both insecure content (sent by HTTP) and secure
content (HTTPS, such as logins and such). There are some recent cross-site scripting vulnerabilities which can cause you to be fooled into thinking you are entering a secure site when you aren't. So, this is best set to Disable.
Don't prompt for Client Certificate selection when no
certificates or only one certificate exists -
Always set to Disable.
This allows you to bypass certificate warnings
and prompts in some cases, which is rarely a good
idea. About the only people who MIGHT be able to
use this setting safely are web developers
creating secure content, using their own certificates,
and never talking to the outside world. For them, it
can be a real pain to deal with that option screen.
Allow Installation of Desktop items -
Determines
if you can install items directly from
webpages. Note that this is not the same thing as
ActiveX or a litany of other security flaws, but this
should always be set to Disable.
Drag and drop or copy and paste files -
Allows
you to click and drag files from webpages to
your desktop to download them. There are a few
security risks associated with this and it is rarely
used in most normal Internet environments, so disable
this.
Launching programs and files in an IFRAME -
This has long been one of the most dangerous - and
un-patched - flaws in Internet Explorer and should
always be set to Disabled. Basically, this allows
websites to download and/or execute files and scripts
from a special tag embedded in a webpage, the IFRAME
tag. Although IFRAMES themselves do have some
protections, there are multiple unpatched flaws and
new ones discovered pretty much on a weekly basis. The
SuckIT rootkit/spyware installer going around exploits
one of these flaws. I'd really like to know what
rocket scientist at Microsoft though this would be a
good idea...
Navigate subframes across domains -
Basically allows you to view and navigate across a
webpage that actually comes from multiple sources (not
counting ad graphics, etc.) You could, for example, be
looking at my site and be looking at part of
Microsoft's site in another frame. The risk here is
whether the other sites are trustworthy, since you
will not see who they are in your URL bar at the top.
Very few websites actually need this Enabled to work,
except for some multimedia sites that store a lot of
their content with third-parties.
Software channel permissions -
In theory,
this controls installation and auto-updating of
software packages. In the Internet Zone,
this should be set to Disabled, although this
has little real relevance to anything, considering the
numerous and varied ways in which malware can install
via Internet Explorer.
Submit nonencrypted form data -
Basically,
this controls whether or not you can fill
out and submit form pages for insecure webpages (NOT
using HTTPS). There's probably quite a lot you do
online that is submitted by insecure pages such as
posting to message boards, so this generally should be
Enabled.
Userdata persistence -
This was sort of
Microsoft's version of cookies. As far as I can
tell, setting this to Disable doesn't cause problems.
Active scripting -
Determines whether
JavaScript and some elements of VBscript can
run. JavaScript is pretty much mandatory for all
websites these days, although there are tons
of JS-related security problems as well (another
reason why I say that it's not possible to use IE
safely, no matter what.) You pretty much have to set
this to Enable to use most websites today.
Allow paste operations via script -
Determines whether or not a website can access your
clipboard and cut, copy, or paste info or files. This
is a pretty extreme security risk, and should never be
set to anything other than Disable.
Scripting of Java applets -
Basically determines
whether any JS on a webpage can interact and share
data with any Java applets that may be running. This
might be mecessary for some online games but, beyond
that, isn't really desirable. If necessary, you can
set this in your Trusted Sites zone and put game
sites in there. However, game sites often are havens of questionable activity anyway.
Logon -
Usually, it does not matter what setting you use
outside of a corporate environment, and then only if
you use NTLM authentication with a server that
supports it. This only affects websites and services
that challenge you for a username and password using
the familiar old gray box. Keep in mind that any
security and infrastructure appliances such as
routers, firewalls, router/firewalls, etc. should
always use a password not used for normal logon or
anything else.
"Anonymous logon" uses CIFS protocol and provides no
real identification. "Automatic logon only in Intranet
zone" requests authentication in all but the Intranet
zone (i.e. My Computer, Internet, Trusted, and
Restricted sites zones.) "Automatic logon with current
username and password" uses NTLM and sends your
username and password, if you provided one, when you
started your computer or logged on to your network.
Obviously, this is mainly of interest to corporate
users. "Prompt for user name and password" requires
that you provide a user name and password every time you access a resource, unless that resource has some other method for identifying and authenticating you. (Often cookies.)
Internet Explorer Advanced Menu:
This is based
on IE 6.0 Service Pack 2. Earlier versions of IE may have
different or fewer controls, although most of the
controls have stayed pretty much the same.
Accessibility:
Always expand ALT text for images -
this controls how you see text for images that
don't download for whatever reason. In a
properly-designed webpage, ALTernate text describes
what the image was (for example, "Submit" might
appear in place of a graphic Submit button, in case
the graphical version of the Submit button couldn't
download for whatever reason.)
This setting has no security considerations.
Move system caret with focus/selection changes -
for all intents and purposes, when this is checked, when
zooming in within a page, Windows moves the mouse
pointer or cursor ("system caret") to somewhere on the
screen, so you don't type offscreen where you can't
see what you're doing. It's a good idea to check this
to prevent mistakes.
Browsing:
Always send URLs as UTF-8 -
this determines whether
URLs are sent in Unicode UTF-8 format. To make a long
story short, UTF-8 is a standard method for
representing characters among multiple languages and
alphabets. This allows multi-lingual compatibility.
Although many severe security problems exist due to
improper use of Unicode, disabling (unchecking) this
will currently will liekly have few, if any,
beneficial results.
Automatically check for Internet Explorer updates -
checks for new versions of MSIE. Not really necessary
since Windows XP has automatic updating, and even
older Windows versions have an update notification
service. In fact, it is preferable that Internet
Explorer not be checked since Microsoft will probably
include the misleadingly-named Trusted Computing
technology in the next version of Internet Explorer.
Close unused folders in History and Favorites -
Really
more of a convenience to prevent old pages and
favorites from cluttering up the ones you use most
often. No siginifcant security implications.
Disable script debugging -
This should be unchecked
unless you are doing webpage design. Might cause
instability. Although this can on rare occasion be
useful for telling you why a feature on a webpage
doesn't work, most people find it to be extremely
annoying in normal use.
Display notification about every script error -
Similar to above, with less detail.
Enable folder view for FTP sites -
If checked,
determines whether you see the cute, familiar little
Windows folders when browsing an FTP server, versus
file names listed along the left side of the screen.
Personally, I find the latter more useful in most
cases. The only (minor) security consideration is that
"folder view" tends to provide less detail about the
nature of files
Enable Install on Demand (Internet Explorer) -
A huge
security problem if checked. This "feature" allows
ActiveX programs to install using the common Microsoft
method of storing files in a CAB archive, which many
kinds of malware do. Never have this box checked.
Enable Install on Demand (other) -
Similar to the
above, except allows self-installing programs to run.
Never have this checked.
Enable offline items to be synchronized on a schedule -
This determines whether you are allowed to schedule
other items to be synchronized with data on your
machine (PDA's, laptops, etc.) This means downloading,
changing, updating, etc. You might, for example, want
to synchronize the emails you have stored on your
desktop machine with those of your PDA, so all the
emails (incoming, sent, rough drafts, etc.) you have
stored on your desktop also show up in your PDA or
laptop's email program, and vice versa. This is a
difficult and not-well-developed technology, which
generally requires the use of third-party software
anyway, so there is no point in leaving this checked.
Enable page transitions -
Allows you to fade in and
out of pages when clicking links and changing pages.
This looks cool for about the first five or six times,
then most people start to find it annoying.
Enable personalized Favorites menu -
Stored
most-recently visited pages near the top of your
favorites for easier access. No real security or
privacy risks here - any potential malware that can
read recent favorites can probably read a lot more
sensitive stuff off your machine.
Enable third-party browser extensions -
In theory,
disables BHOs (Browser Helper Objects), which is how
many kinds of malware operated. Some legitimate
programs such as download managers do too. These are
called "plug-ins" by most other software
manufacturers. This should be unchecked.
Enable visual styles on buttons and controls in web
pages -
Makes controls such as radio buttons prettier.
No known security risks.
Force offscreen compositing even under Terminal Server
-
Should be unchecked. This allowwss one image to be
overlaid onto another when running Terminal Services,
which allows you to connect to another computer and
basically treat it as if it was part of yours. Aside
from the fact that it can allow false or misleading
images to be displayed, it can also be buggy.
Notify when downloads complete -
If checked, when a
download completes, the download dialog and status
will pop-up, showing you that the download finished
and offering you a chance to launch the file with the
Open button. If unchecked, the download status window
will simply close when the download finishes. The only
(minor) security consideration is that, if the
download-completion box pops up when you just so
happen to be clicking a link, and it just so happens
that you click a location on the screen the Open
button comes up, you could accidentally run or launch
the file just downloaded. If you don't have a good,
properly-configured memory-resident virus scanner, it
may not have a chance to scan the file before you
launch it. This might not seem like a likely scenario,
but remember that computers are run by Murphy's Law.
Reuse windows for launching shortcuts -
Uncheck this.
If this is checked, then, when you click a link that
is a shortcut - perhaps a file or email - it will not
spawn a new window but will run in the current one.
Although I'm not aware of a specific threat that takes
advantage of this, Internet Explorer is literally
riddled with cross-site and domain obfuscation flaws,
so leaving this checked is an unnecessary and
pointless risk to take. Moreover, most people also
find that running applications in a separate window
helps their orientation and to better know what they
are doing. Plus, it also keeps the original window
open, which often contains instructions or additional
information.
Show friendly HTTP error messages -
Shows the familiar
Windows error that offers some suggestions how to
resolve the error. If unchecked, it shows the error
code and message only (e.g. 404 - page not found).
There are some kinds of malware that check for these
messages and tries to direct you to a sponsored (and,
sometimes, misleadingly-named) site, but this setting
has nothing to do with this. There is no harm in
leaving this checked.
Show friendly URLs -
This shows site names or
descriptions from your Favorites, rather than simple
site URLs. A potential security problem is that it has
become increasingly common for sites to impersonate
their more-popular competitors (especially, if you
haven't noticed, in the anti-spyware business - ever
notice how many SpyBot and Ad-Aware impersonators
there are?) Therefore, it is preferable to uncheck
this.
Display Go button in Address bar -
Determines whether
the little green Go button appears to the right of the
URL. Unchecking this frees up a little bit of space on
your screen for other, more useful things. If you type
in a web address, hitting Enter will do the same thing
anyway.
Underline links -
When set to Always, will let you
know that a link is there. When set to Hover, links
won't underline unless you place the mouse cursor
pointer over them. This can make text appear more
natural, but, if the link text is the same color as
the normal text (which is fairly common), may prevent
you from knowing a link is there. Never is kind of
self-explanatory.
Use inline AutoComplete -
When you type in a web
address when this is checked, IE will try to complete
the link based on your history in order to save you
some typing. No appreciable security risks, but some
people like this, while others don't care for it.
Use Passive FTP -
This generally should be checked,
particularly if you are using a personal (software)
firewall. Actually, if the firewall is a good one, you
should only be able to use passive (PASV) FTP. In
Active FTP, which is still considered the normal FTP,
a client (normally, you) sends a request to transfer a
file from a server, but the server initiates the
sending of the data. Since most firewalls are
specifically intended to block incoming data that
appears unsolicited (which is really the primary
purpose of a firewall in the first place), an Active
FTP session may be blocked. Additionally, Active FTP
is prone to abuse. Passive FTP gets around this by
using the more normal method of having the client
initiate connections and transfers. Active FTP is,
thankfully, increasingly being replaced by Passive
FTP, particularly as firewall use becomes more common.
A few services still require Active FTP. If this is
the case, and if HTTP or other transfer options are
available, it is best to use them rather than deal
with the headaches and security risks related to
Active FTP.
Use smooth scrolling -
When you click up or down on a
webpage while this is checked, will scroll cleanly
rather than simply jumping to a new part of the page.
Some people like this, others don't, but there are no
security concerns here.
HTTP 1.1 settings:
Use HTTP 1.1 -
Uses the HTTP 1.1 standard to decode
and send data to websites, rather than the older HTTP
1.0 standard. HTTP 1.1 compresses data packets before
sending them to and from your computer, resulting in
faster performance. HTTP 1.1 is standard all around
the web. There are only two situations in which you
might want to disable (uncheck) this: 1. If Windows
Update is freezing, or 2. If you wanted to use a
packet sniffer.
Use HTTP 1.1 through proxy connections -
Some proxies
don't understand HTTP 1.1, so if you are using one
that doesn't, don't check this. It's a good idea to
try out your proxy by checking this first and seeing
if it works; if it doesn't, then you can uncheck this
later.
Java:
fNote that it is generally not a good idea to
use Java in a web browser, particularly Microsoft's
version. (Of course, Java is better than ActiveX controls!)
If you have Sun Java installed and set up to
work with Internet Explorer, then you will get
different options, discussed later. Since Microsoft is
no longer including their own version of Java - due to
a patent-infringement ruling against Microsoft - this
option may not even be present on newer editions of
Windows XP and later operating systems. There is
some critical security info below, in the section
called "Some vital Java notes")
Enable Java Virtual Machine -
This uses Microsoft's
version of Java, which is no longer supported. This
should be set to disable (unchecked). If you need
Java, you are better off installing Sun's
Java. More on this in a minute.
Java Console enabled -
Allows you to view debugging
information for Java applets. Mianly useful for developers.
Java logging enabled -
Allows you to log debugging
information for Java applets.
Enable Java JIT (Just-In-Time Compiler) -
This should
be checked as it increases performance. It starts
compiling Java code as it is downloaded, rather than
waiting for a complete download. On some systems -
particularly Windows 95 - JIT doesn't work well, and
is best left disabled.
Java (Sun) -
(Note: you will only see this if Sun's
Java is installed and set up to work with Internet
Explorer. If you are sure Sun's Java is installed [you
might see a coffee-cup icon on your desktop, or see
the Java control in your Control Panel], then you
should remove the current version, download the
latest, and reinstall it. More on this, below).
Use Java [version number will be here] -
Check this if
you require Java, otherwise uncheck anything relating to Java.
Some more vital Java notes:
As mentioned earlier, Sun's
Java (the original Java) is safer to use than
Microsoft's, and, due to the patent problems,
Microsoft isn't going to support their version any
longer anyway. If you have Microsoft's version, it is
best to find and delete the JVIEW.EXE file, which
effectively disables it. Versions of Microsoft's Java
prior to version 5.00.3810 were prone to a severe
security flaw called the bytecode-verifier exploit.
This is how the CWS class of trojans - some of the
most dangerous spyware and trojans out there - enters
computers. Only the newest versions of XP prior to the
removal of Microsoft Java came with a fix for this. If you
must use it, see
Microsoft article MS03-011 here.
It is much better to use Sun's Java, but it is crucial
that you have the latest version, since, like most software, flaws are discovered from time to time. The particular flaw that allows CWS trojans to enter, mentioned above, actually existed in Sun's Java at one
time too, but was long ago fixed, and no known malware
took advantage of this problem. You may even have an
old version of Sun's Java on your system - old and new
versions of Netscape, Mozilla, and dozens of other
popular programs install it. Some computers even come
with it pre-installed, so it is critical
that you update to the latest version if you have it.
As of this writing, the latest version is 1.4.2.06,
but that may have changed by the time you read this.
Unfortunately, the Sun website isn't the easiest to
use for updates. Here's what to do: Go to Sun's
Java resource page (this will open in a new window, so
you can flip back to this one). Near the top, find
"Java 2 Platform, Standard Edition (J2SE)" . In the
drop-down list, find J2SE 1.4.2, and select All
Platforms, then click the Go button. On the next page,
look in the middle of the page for the "1.4.2_xx JRE"
edition. The SDK version is also available and
contains additional components to help you write your
own Java programs, if you prefer to use that version.
These are presently the latest stable versions of
Java. Now, exit any browsers you are currently running
before starting the installation, and if you have
Netscape or Mozilla, you should disable the little
quick-launch item (it should be in the tray, on the
lower right) before starting installation. Many people
prefer to download the "offline" version of the
installer, which is a much larger file, but is easier
to use.
Multimedia:
Enable automatic image resizing -
Allows images to be resized to properly fit your screen.
There are no security risks in having this Enabled (checked).
Enable image toolbar -
The image toolbar controls whether some
image-related options are clickable on the browser, such
options to save or load an image. These option are always
available through the menus, so disabling the toolbar serves
to simply reduce screen clutter. There are no security concerns,
so this feature can be enabled or disabled.
Play animations in web pages -
Determines whether animated GIFs will play
or show a static, unchanging picture. There are no presently-
known security risks to enabling the playing of animations.
However, understand that the animated graphics files controlled
by this option have nothing to do with far-riskier applications
such as Flash, the Viewpoint Media Player, ActiveX controls, and
Java - all of which are commonly used both for the playing
used to create animations and "rich content", but which may be
or are frequently abused and which pose severe security problems.
Play sounds in web pages -
Determines whether sounds (usually,
a WAV, MP3, or MIDI file) will play. There are no present security
concerns in enabling this feature. However, if you're
configuring computers in an office or public kiosk environment,
be aware the many people find sound in webpages to be VERY
annoying, and often startling.
Play video in web pages -
Determines whether video files
(e.g. MPG) will play. There are no present security
concerns in enabling this feature in an of itself. However,
If Windows Media Player is installed, IE will attempt to
use WMP to play videos. Be CERTAIN that you have locked down
WMP. Specifically, make sure that all patches to WMP have
been applied and (on versions 9 and later), that scripting
has been disabled. Start Windows Media Player, click on the
Tools menu item, then point to options. Under the Security
tab, make sure that the option called "Run script commands
when present" is UNCHECKED. It is advisable to also look
under the privacy tab and ensure that WMP is not allowed
to communicate or collect data. This is especially
important on public-use computers.
Show image download placeholders -
If an image is unviewable for some
reason, such as it's not there or you have disabled image
loading, this feature allows Internet Explorer to display
descriptions of what those images should be, assuming the
webpage author put them into their webpage. This feature
should be checked/Enabled.
Show pictures -
Determines whether or not images will be displayed.
You will have a tough time surfing the net without images.
This option's only real value is if you are on a slow
connection, this can prevent the loading of unnecessary
images. Leave this option Enabled/checked.
Smart image dithering -
Dithering refers to a process in which the
computer figures out how to resize an image to fit a larger
or smaller area. Smart image dithering will usually produce
better-looking results than other methods such as simple
dithering or expansion, so leave this optioned Enabled.
Printing:
Print backgorund colors and images -
Should generally be Disabled (unchecked). Background
images and wallpapers often clutter a printed page
rendering it unreadable. Also, if you have a color
printer, this will waste expensive toner, if enabled.
Security:
Allow Active Content from CDs to run on My Computer -
Disable. This allows webpages to access files from a
CD on your machine. NOTE: Internet Explorer, as of
Service Pack 2, has a new feature that allows you to
temporarily override this feature. called "Allow Blocked
Content". This temporarily overrides this menu item.
It is recommend that you NEVER allow blocked content.
Allow Active Content to run in fileson My Computer -
Disable. This allows webpages to access files from
yourd hard drive. NOTE: Again, Internet Explorer, as of
Service Pack 2, has a new feature that allows you to
temporarily override this feature. called "Allow Blocked
Content". This temporarily overrides this menu item.
It is recommend that you NEVER allow blocked content.
Allow software to run or install even if the signature is invalid -
Disable (in most environments). This feature is part of
Microsoft's Trustworthy Computing Initiative, also called
TCPA, Palladium, etc.
If enabled, this feature allows software to install without
a certificate. This is often necessary in environments in
which software is frequently installed or uninstalled or
if the software does not have a certificate (as 99% does not!)
Generally, this setting should be Disabled in a corporate
or public-use environment, but enabled in all others.
Check for publisher's certificate revocation -
Disabled in most environments. This feature checks to
see whether the certificate supplied with a piece of
software has been revoked. The certficate, in
theory, proves the identity of the software maker. In
actuality, nearly all spyware, and many or most viruses
and malware have some form of certification, and, to my
knowledge, no certificate has ever been revoked,
regardless of how malicious a piece of software or
whether the vendor lied about his or her identity.
So, this feature is pretty much useless and provides
only a false sense of security. It is best disabled to
cut down on network traffic.
Check for server certificate revocation -
Enable. When viewing a Secure (HTTPS, or SSL) site, checks
to be sure that the site's certificate has not been
revoked. This is not quite the same thing as the above,
since it applies to sites, not software products.
Check for signatures on downloaded programs -
Disable, except possibly in kiosk environments. This is
a core of Microsoft's Trustworthy Computing Initiative
(a.k.a. TCPA, Palladium). Since very little downloadable
software even HAS signatures or certificates - and
never will - this would effectively eliminate most
downloads. It would be far more effective and safer to
simply disable downloads entirely, from the Security
tab, for all zones.
Do not save encrypted pages to disk -
Eisable/check. When enabled, this prevents encrypted
pages from being stored on your hard disk, where the
encryption can theoretically be reversed. There is
rarely a need for storage of this information anyway.
Empty Temporary Internet Files folder when browser is closed -
Enable. Deletes all temporary and cached files when you
exit Internet Explorer. This is a powerful privacy
and security feature.
Enable Integrated Windows Authentication -
Disable (in most environments). This feature allows IE to
verify your identity to a webserver. This is not necessary
except in certain corporate environments, and even then,
only those configured to use this feature of IIS 6.0.
Enable Profile Assistant -
Disabled! Windows allows you to create a profile,
including financial information. This option allows
websites to get that information automatically. It
is an extension of Microsoft's failed Passport
program.
Use SSL 2.0 -
Enable. Allows you to connect to secure/HTTPS websites
using the older (but still secure) SSL 2.0 if
SSL 3.0 is not available.
Use SSL 3.0 -
Enable. Allows you to connect to secure/HTTPS websites
using SSL 3.0, if available.
Use TLS 1.0 -
Disable! Allows you to connect to secure/HTTPS websites
using the older (but BUGGY AND INSECURE) SSL 1.0.
Security flaws in SSL 1.0 are widely known and, under
no circumstances, should SSL 1.0/TLS 1.0 communications
be allowed.
Warn about invalid site certificates -
Enable. Secure (HTTPS) sites should always have valid
certificates, and you should be told when something
isn't right.
Warn if changing between secure and not secure mode -
Enable. Lets you know if you go from an SSL/secure (HTTPS) site
to a regular/insecure (regular HTTP) website. Any
information sent to and from a non-SSL (HTTPS) website
is not encrypted and viewable to any third-party
monitoring the line between you and the site.
Warn if forms submittal is being redirected -
Enable. Lets you know if a form or data you've entered
is being sent to a site other than the one which
supplied the form.