All IE8 security settings

Tags: 

There are occasions when you have problems with Internet Explorer (IE) having problems with Javascript or plugins that at least partially stem from the browser's security level, for example it can cause Drupal's Ubercart e-commerce module to not let IE users to checkout (a bad thing). For those occasions, here are all of the IE8 security settings listed out in a single table in all their gory detail.

To see them go to the Tools browser menu, click on the Internet Options menu item and then the Security tab, then click Custom Level to see how each setting is adjusted based on the specific security level.

IE Security Settings
Setting Medium (default) Medium-High High
.NET Framework
Loose XAML: enable enable disable
XAML browser applications: enable enable disable
XPS documents: enable enable disable
ActiveX controls and plugins
Allow previously unused ActiveX controls to run without prompt: enable disable disable
Allow scriptlets: disable disable disable
Automatic prompting for ActiveX controls: disable disable disable
Binary and script behaviors: enable enable disable
Display video and animation on a webpage that does not use external media player: disable disable disable
Download signed ActiveX controls: prompt (recommended) prompt (recommended) disable
Download unsigned ActiveX controls: disable (recommended) disable (recommended) disable (recommended)
Initialize and script ActiveX controls not marked as safe for scripting: disable (recommended) disable (recommended) disable (recommended)
Only allow approved domains to use ActiveX without prompt disable enable enable
Run ActiveX controls and plug-ins: enable enable disable
Script ActiveX controls marked safe for scripting: enable enable disable
Downloads
Automatic prompting for file downloads: disable disable disable
File download: enable enable disable
Font download: enable enable disable
Enable .NET framework setup
: enable enable disable
Miscellaneous
Access data sources across domains: disable disable disable
Allow META REFRESH: enable enable disable
Allow scripting of Microsoft web browser control: enable disable disable
Allow script-initiated windows without size or position contraints: disable disable disable
Allow webpages to use restricted protocols for active content: prompt prompt disable
Allow websites to open windows without address or status bars: enable disable disable
Display mixed content: prompt prompt prompt
Don't prompt for client certificate selection with no certificates or only one certificate exists: disable disable disable
Drag and drop or copy and paste files: enable enable prompt
Include local directory path when uploading files to a server: enable disable disable
Installation of desktop items: prompt (recommended) prompt (recommended) disable
Launching applications and unsafe files: prompt (recommended) prompt (recommended) disable
Launching programs and files in an IFRAME: prompt (recommended) prompt (recommended) disable
Navigate windows and frames across different domains: disable disable disable
Open files based on content, not file extension: enable enable disable
Submit non-encrypted for data: enable enable prompt
Use Pop-up Blocker: enable enable enable
Use SmartScreen Filter: enable enable enable
Userdata persistence: enable enable disable
Websites in less privileged web content zones can navigate into this zone: enable enable disable
Scripting
Active scripting: enable enable disable
Allow Programmatic clipboard access: prompt prompt disable
Allow status bar updates via script: enable disable disable
Allow websites to prompt for information using scripted windows: enable disable disable
Enable XSS filter: enable enable enable
Scripting of Java applets: enable enable disable
User Authentication
Login: Automatic logon only in Intranet zone Automatic logon only in Intranet zone Prompt for user name and password

FYI these were obtained from a Windows XP SP3 virtual machine and may behave differently on different versions of Windows.

2 Comments

Missing the following

Missing the following section: .NET Framework-reliant components, which has the following settings:
Permissions for componenents with manifests
Run componenents not signed with Authenticode
Run componenents signed with Authenticode

I'm running Win XP SP3 too. The locale of my OS is English - perhaps that's the disconnect?

Also, there is a typo in the following: "Allow webpages to use restricted protocols for active content:". "for active content" should be "form active content". Otherwise very handy and helpful. Thanks - Chris

Is there a way to export a

Is there a way to export a .csv or .xls file out of IE8 with a summary of these security settings?

How to reply

Care to add your own 2 cents? Let me know via Twitter or my contact page.