In the last episode we had a glimpse of the Windows Firewall and
how it was enhanced to prevent untoward incidents to the computer. While the
firewall helps to keep the computer secure from outside attacks, it is not the
only fool proof way to secure the computer. Most of the connection to the
outside world is done from the Web browser and hence the browser has undergone
a lot of tweaking and enhancements to minimize the risks. The major changes
done to Internet Explorer are:
  With an improved security infrastructure, Internet Explorer blocks
unruly windows and helps to defend your PC by drawing tighter security around
it. These security enhancements include things such as zone elevation blocks
and changes to object caching-serious sounding names for serious security
protections. Let us explore the features one by one.
  Pop up windows.
  The biggest intruder in recent times when browsing was the famous
pop up window. Whenever a website was opened, the activity on the page would be
delayed because the pop up window would obstruct the opening of the page. And
this caused a great discomfort to the user because the pop up window would open
every time a page was loaded and there was no control over this pop up window.
Many third parties provided pop up blocking tool bars but that was a pain to
download the same and it was difficult to limit the pop up windows which had to
be allowed. And these tool bars could not differentiate between a window that
popped up by itself and a pop window which opened with a user's click.
  Earlier when a user was working on an application and he would
accidentally dismiss any dialog box that obtruded on the way and he wouldn't
realize that he had clicked on a dialog box and wouldn't be aware what the
dialog box was all about. Remember that in an earlier article on Longhorn, I
had written how Longhorn would change the way users worked with dialog boxes
and the side bar would contain the history of all previous dialog boxes and
alerts that appeared on the desktop. Well the same thing has been done to
Internet Explorer. If the pop up was blocked without any indicator to the user,
the user wouldn't have any indicator that a pop up window appeared. Hence
Internet Explorer had to do something to give some indicator to the user. This
is done with the Information bar. This is a new feature provided with Service
Pack 2 and appears below the toolbar at the top and gives different messages
depending on the security setting. We shall see more of the Information bar in
the next few paragraphs. The information bar also provides with settings to
tweak with.
Figure. 1 The pop up blocker.
Figure.2 The menu on the Information bar
to configure pop up settings.
  What happens when a pop up window is blocked.
  When a site opens a pop-up window that is blocked by Internet
Explorer, a notification appears in the Information Bar and status bar and a
sound is played. Clicking on the notification in the Information Bar or status
bar, displays a menu with the following options:
-
Temporarily Allow Pop-ups.
Reloads the page, allowing pop-up windows. This can be used in scenarios where
the user wants to see what kind of pop up window appears and whether it is
informative or not. This setting lasts only for the life time of that instance
of the browser window. When the browser window is closed, the settings are
reset to the default. -
Always Allow Pop-ups from This Site.
This allows the user to add the current site to the “Allow list”. The sites
that appear in the “Allow List” will always allow the pop up window and the
Information bar will not appear for these web sites. -
Settings.
Shows more Pop-up Blocker settings menu items and gives access to the Pop-up
Blocker Settings window.
  There are some advanced options that Internet Explorer provides
for advanced configuration of Pop-up Blocker settings. This is set through the
Pop up blocker Settings. The options are:-
-
Web site Allow List:
This allows the user to add sites to the Allow list. Any site on the Allow list
can open pop-up windows. -
Notification and Filter Level:
There are 2 notification settings which can be set on and off. They are :- -
Play a sound when a pop up window appears:
You can toggle whether or not Pop-up Blocker plays a sound when a pop-up is
blocked through the Advanced settings in Internet Options. You can also change
the sound that plays. To do this, click Start, click Control Panel, and then
double-click the Sounds and Audio Devices icon, and then specify the Blocked
Pop-up Window system sound. -
Show the information bar when a pop up window is blocked:
This allows the user to configure if he wants to see the information bar when
the pop up window is blocked. If he doesn't want to see any information then he
can use the filter level to control the pop up windows which is discussed in
the next paragraph.
  There are 3 filter levels which can be set for the pop up blocker.
They are:
Block all pop ups, Ctrl to override. This setting allows sites to open a pop-up
window when the user clicks a link. This setting changes that behavior by
blocking windows that are opened from a link. If this setting is enabled, you
can allow pop-up windows to open by pressing the CTRL key at the same time that
you launch the pop-up.
Block most automatic pop up windows. This is the default setting.
Allow pop ups from secure sites. Customers can expand the scope of Pop-up
Blocker to include the Local Intranet or Trusted Sites zones in the Security
tab of Internet Options.
  There are some scenarios in which the pop up window will appear
even if the pop up blocker is enabled.
  Internet Explorer Window Restrictions
  Earlier Internet Explorer provided the capability for scripts to
programmatically open additional windows of various types, and to resize and
reposition existing windows.
  When visitors visited certain web sites, they had peculiar
problems when handling pop up windows. These methods of opening the pop up
window were called by scripts and used to spoof a user interface or desktop or
to hide malicious information or activity by one of the three following
methods:
off-screen.
the user.
  When these elements are hidden from view, the user might think
they are on a more trusted page or interacting with a system process when they
are actually interfacing with a malicious host. Malicious use of window
relocation can present false information to the user, obscure important
information, or otherwise “spoof” important elements of the user interface in
an attempt to motivate the user to take unsafe actions or to divulge sensitive
information.
  The Window Restrictions security feature, formerly called UI
Spoofing Mitigation, restricts two types of script-initiated windows that have
been used by malicious persons to deceive users: popup windows (which do not
have components such as the address bar, title bar, status bar, and toolbars)
and windows that include the title bar and status bar. As a consequence
script-initiated windows with the title bar and status bar are constrained in
scripted movement to ensure that these important and informative bars remain
visible after the operation completes.
the visible top of the display.
bottom of the display.
  The visible security features of Internet Explorer windows provide
information to the user to help them ascertain the source of the Web page and
the security of the communication that uses that page.
  Internet Explorer Add-on Management
  Add-ins are small programs that are embedded in the browser and
help the user to get certain functionality when browsing the Internet or using
particular applications. Example of add-ins are:
  Add-ons are installed from a variety of locations. The different
process of installing the add-ins are :
  Examples of popular add-ins that are used by the majority of
browser users are:
Figure.4 The Manage Add-on's dialog box.
  The problem with add-ins are that they are also equally deceptive
in nature and can perform a variety of tasks which are not known to the user.
For example, a user might unintentionally install an add-on that secretly
records all Web page activity and reports it to a central server. These kind of
deceptive add-ons could only be identified by specialized software and deep
technical knowledge was required to identify and remove that add-on.
  Internet Explorer Add-on Management provides an easier way to
detect and disable particular add-on's. It also allows the user to view the
add-ons that have been installed on his computer and give more control over
particular controls that might be harmful to his computer. Internet Explorer
Add-on Management allows users to view and control the list of add-ons that can
be loaded by Internet Explorer with more detailed control than before. It also
shows the presence of some add-ons that were previously not shown and could be
very difficult to detect. These add-ons might provide undesired functionality
or services and, in some cases, might present a security risk.
  Managing Add-ons
  Users can enable and disable each add-on individually and view
information about how often the add-ons have been used by Internet Explorer. To
do this, use the following procedure to open Manage Add-ons.
  You can also open Manage Add-ons through Control Panel by
following these steps:
  Manage Add-ons has several options that allow you to change your
add-on configuration. You can use Show to control the way in which the add-ons
list is displayed. It has two options:
  Add-ons currently loaded in Internet Explorer. This option
lists the add-ons that have been instantiated (or loaded into memory) within
the current Internet Explorer process and those which have been blocked from
instantiating. This includes ActiveX controls that were used by Web pages that
were previously viewed within the current process.
Figure.5. Add-ons currently loaded in IE.
  Add-ons that have been used by Internet Explorer. This option
lists all add-ons that have been referenced by Internet Explorer and are still
installed. The list of add-ons shows all installed add-ons of the types
mentioned earlier in this document. To enable or disable an installed add-on,
click the add-on in the list, then click Enable or Disable.
Figure 6. Add-ons that have been used by
Internet Explorer.
  If you click an ActiveX control in the list, then click Update
ActiveX, Windows searches for an update at the location where the original
control was found. If a newer version is found at that location, Internet
Explorer attempts to install the update.
  The list of add-ons also contains signed add-ons that were blocked
from installation because their publisher was untrusted. After selecting one of
these controls, the user can unblock the control by clicking Allow. Caution
should be exercised when doing this, because clicking Allow removes the
publisher from the Untrusted list. There are indicators to view add-ons that
were blocked by the user or add-ons that comes from untrusted publishers. We
will discuss about untrusted publishers in a future article.
  Indicators of blocked add-ons.
  Blocked Add-on status bar icon: A Blocked Add-on icon
appears in the status bar when a Web page attempts to instantiate an ActiveX
control that is disabled or blocked because its publisher is untrusted. You can
double click the icon to open Manage Add-ons. The status bar icon is
accompanied by a balloon tip the first five times it appears.
  Add-on notification balloon tip: When a Web page attempts
to instantiate a disabled add-on and there is no current Blocked Add-on status
bar icon, a message appears to tell the user that the current Web page is
requesting an add-on that is disabled. The user can click the message for more
details on blocking add-ons.
  We have covered a lot today and saw how the browser has been
revamped in SP2. But that is not all that has been enhanced in the browser.
There is more to be seen and we will see in the next article.
  To be continued...