by MS
If your network has multiple segments or if specific address ranges shouldn't be proxied when accessed, enter the appropriate IP addresses or IP address ranges in the Exceptions list. Each entry must be separated with a semicolon. The asterisk (*) character can be used as a wildcard character to specify an address range of 0 through 255, such as 192.*.*.*, 192.158.*.*, or 192.158.10.*.
Click OK.
To ensure that proxy settings are applied uniformly to all users of a particular computer, you can set an additional policy that assigns proxy settings per machine rather than per user. When you enable this policy, proxy settings apply to all users of the same computer and users cannot set their own proxy settings. This prevents users from overriding the standard proxy settings for the organization. You can make proxy settings per machine by following these steps:
Access Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer in Group Policy and then double-click Make Proxy Settings Per-Machine (Rather Than Per-User) in the right pane.
Select Enabled and then click OK. The affected computer or computers need to be rebooted for this policy to be applied.
Note
If you disable or do not configure this policy, users of the same computer can set their own proxy settings. These settings might override those set through Group Policy.
Managing Browser Cookies and Other Temporary Internet Files
Whenever users browse the Web, many types of temporary Internet files are stored on their computers, including:
Standard temporary Internet files Copies of Web pages, images, and media from sites users have visited
Browser cookies Used to store information about preferences, log-ins, etc.
Browser history Lists of Web sites users have visited
Form data Saved information typed into forms
Passwords Passwords saved from users previously signing in to Web sites that use forms-based authentication
The most misunderstood temporary Internet file is the browser cookie. Browser cookies are used to store information on client computers so that it can be retrieved in other pages or in other browser sessions. Cookies are commonly used to store sign-in information for protected Web sites, user preferences, and shopping cart items. Internet Explorer browsers save cookies in domain-specific text files. Cookies are read from and written to cookie files as records. Fields in a cookie record detail the domain of the server that created the cookie, the name of the cookie, the string of data being stored in the cookie, the expiration date for the cookie, a Boolean value indicating whether you need a secure HTTP connection to access the cookie, and a path designator indicating the URL path(s) that can access the cookie.
You can manage browser cookies and other types of temporary Internet files using the Internet Properties dialog box. If users spend a lot of time on the Internet and you have disk space limitations, you might need to more closely manage the space used by temporary Internet files. Access the Internet Properties dialog box in Control Panel by clicking Network And Internet and then clicking Internet Options. Afterward, use the following procedures as necessary to recover and restrict disk space usage:
Clear out temporary Internet files
On the General tab, click Delete under Browsing History.
Delete individual types of temporary Internet files by clicking the related buttons. When prompted, click Yes to confirm the action.
Click Delete All to delete all types of temporary Internet files. When prompted, select Also Delete Files And Settings Stored By Add-Ons to delete temporary files and settings created by browser add-ons. Click Yes to confirm the action.
Set disk space usage for temporary Internet files
On the General tab, click Settings under Browsing History.
Use the Disk Space To Use combo box to specify how much disk space can be used by temporary Internet files.
By default, temporary Internet files are stored in a folder under %UserProfile%. If you want to move this folder to a drive with more space, click Move Folder and then use the Browse For Folder dialog box to select the new save location.
Click OK twice.
Internet Explorer relies on a Web site's compact privacy policy to determine how the site uses cookies. The World Wide Web Consortium (W3C) has defined an official recommendation regarding Web privacy called the Platform for Privacy Preferences Project (P3P). P3P enables Web sites to report their privacy practices in a standard format that can be retrieved automatically and interpreted by user agents, such as Web browsers. User agents rely on what is reported in the compact privacy policy, and generally cannot determine whether cookies are used as reported.
You can use the Privacy tab of the Internet Properties dialog box to configure the way browser cookies are used. You can then use the Settings slider to specify how cookies should be used. Privacy settings available include: Block All Cookies, High, Medium High, Medium, Low, and Allow All Cookies. When you are using a privacy setting ranging from High to Low, you might want to make an exception for a site rather than raise or lower your privacy setting. To do this, click the Sites button on the Privacy tab. Type the address of the Web site in the field provided and then click Allow or Block as appropriate. If you click Allow, cookies for the site will then be accepted. If you click Block, cookies for the site will then be blocked. Keep in mind that you cannot make exceptions when you use the Block All Cookies or Allow All Cookies setting. With these settings, all cookies are always either blocked or allowed—there is no in between or exception.
The privacy setting options are used as follows:
Block All Cookies Blocks all new cookies and ensures any existing cookies cannot be read by Web sites. Many Web sites won't function properly if you use a setting of High or Block All Cookies. It is also important to point out that any sites you've configured as Allow exceptions are blocked as well. This means the Allow exception is ignored while this setting is selected.
High Blocks all cookies from sites that do not have a declared privacy policy indicating the source, purpose, and lifetime of cookies used by those particular sites. It also blocks all cookies with a declared privacy policy stating that those cookies gather information that could be used to contact you (such as your name, e-mail address, home address, and logon information) without your explicit consent.
Note
Browsers determine whether and how cookies gather personal information based on the site's declared compact privacy policy. Browsers rely on the policy itself and generally cannot determine whether personal information is collected as stated.
Medium High Blocks cookies from sites other than the one you are viewing (such as an advertiser who advertises at the current site) that do not have a declared privacy policy statement indicating the source, purpose, and lifetime of cookies used by that particular site. It also blocks cookies from other sites (such as advertisers) with a declared privacy policy stating that cookies gather personal identification information without your explicit consent. Further, it blocks cookies from the current site if there is a declared privacy policy statement that specifies that cookies gather information without implied consent.
Note
Implied consent is granted automatically. Basically, it means you haven't opted out or told the site you don't want personal information to be collected, so the information can be collected.
Medium The default privacy setting. Blocks cookies from sites other than the one you are viewing (such as an advertiser at the current site) that do not have a declared privacy policy indicating the source, purpose, and lifetime of cookies used by that particular site. It restricts cookies from the current site and blocks cookies from other sites (such as advertisers) that have a declared privacy policy stating that cookies gather personal identification information without implied consent.
Low Blocks cookies from sites other than the one you are viewing (such as an advertiser at the current site) that do not have a declared privacy policy indicating the source, purpose, and
lifetime of cookies used by that particular site. It restricts cookies from other sites (such as advertisers) that have a declared privacy policy stating that cookies gather personal identification information without implied consent.
Accept All Cookies Accepts all new cookies and allows Web sites to read existing cookies. It is important to point out that any sites you've configured as Block exceptions are allowed as well, meaning the Block doesn't apply while this setting is used.
Secure Browsing and Local Machine Lockdown
To help make the operating system more secure, Internet Explorer security was revised greatly starting with Windows XP Service Pack 2, and these same changes are in Windows Vista. These security changes affect many areas of the browser and introduce several new features, including:
Browser Information Bar and general security
Add-On Manager
Pop-Up Blocker
The sections that follow examine each of these features.
Understanding Dynamic Security Protection, the Browser Information Bar, and Other Browser Security Enhancements
Dynamic Security Protection in Internet Explorer is a comprehensive safety and security framework designed to safeguard the integrity of your organization's computers while also helping to protect an individual's personal information. The main features of Dynamic Security Protection are Protected Mode, privacy reporting, and phishing filter.
Protected Mode isolates Internet Explorer from other applications running on the computer and restricts how adds-ons are used. Because of Protected Mode, add-ons can only write information to temporary Internet folders and must have explicit consent from the user to write to any other location. Additionally, preinstalled Microsoft ActiveX controls are disabled by default, and you can start Internet Explorer with all add-ons disabled if desired. To start Internet Explorer in Add-On Disabled mode, click Start, All Programs, Accessories, Internet Explorer (No Add-Ons), or right-click the Internet Explorer shortcut on the desktop and select Internet Explorer (No Add-Ons).
As part of the Protected Mode enhancements, the URL handler in Internet Explorer has been redesigned as well. The updated URL handler has a new parser, which protects the computer from possible URL parsing exploitations, such as URLs that attempt to run commands. This new parser also features international domain name anti-spoofing, which is designed to warn users if malicious individuals use the new international domain name support to create look-alike domain names.
Privacy reporting provides quick access to privacy information that includes whether cookies were restricted or blocked based on privacy settings; which Web sites have content on the page; and the accepted, restricted, or blocked status of cookies from those sites. In Internet Explorer, you can view a privacy report for the open page by clicking Page and then clicking Web Page Privacy Policy.
Phishing is a technique whereby a site attempts to collect personal information without a person's consent. Internet Explorer's phishing filter warns you about sites known to collect personal information without consent and also displays a warning when a site attempts to collect personal information without your consent. Related warning icons are displayed on the browser's status bar. With the status bar warnings, however, it is important to keep in mind that the warning doesn't necessarily mean a site conducts or is conducting phishing. Instead, it might only mean that the site isn't a large, wellknown, commercial site.
The Phishing Filter is always on by default. In Internet Explorer, you can manage the phishing filter by clicking Tools and then clicking Phishing Filter. If you select Turn Off Automatic Website Checking, you can manually check sites if desired using the Check This Website option.
In Windows Vista, the Browser Information Bar is used in place of many of the common Internet Explorer dialog boxes and prompts. The information bar is designed to help users navigate the many security enhancements for pop-up windows, add-ons, and active content. When the information bar is displayed, it appears just below the address bar. Whenever this bar is displayed, you can click or right-click it to display a shortcut menu with additional options that allow you to enable or disable the related feature and perform other related tasks.
Table 14-1 provides a summary of the most common messages you'll see and the related options in the Internet Properties dialog box.
Table 14-1: Understanding Secure Browsing and Lockdown
Information Bar Message
Description
Action/Resolution
Active Content Blocked. To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer.
This message is displayed for any pages that contain scripts or other types of active content that access information on the local computer. Active Content is blocked by default to ensure malicious files accident.
You can configure active content blocking by selecting or clearing Allow Active Content To Run In Files On My Computer on the Advanced tab of the Internet Properties dialog box. To allow only this particular page to execute active content, click the information bar. Active content on CD AutoRun pages can be controlled using Allow Active Content From CDs To Run On My Computer.
File Download Blocked. To help protect your security, Internet Explorer blocked this site from downloading files to your computer.
This message is displayed any time an automatic download or installation is prevented. Downloads are blocked by default to prevent sites from overwhelming users with download prompts and to help resolve problems with accidentally installing unwanted software.
You can configure automatic prompting through the Web zone security settings. On the Security tab of the Internet Properties dialog box, select a Web zone by clicking it and then clicking Custom Level. In the Security Settings dialog box, select the appropriate option for Automatic Prompting For File Downloads. To allow only the blocked file to download, right-click the information bar and select Download Software.
Pop-up Blocked. To see this pop-up or additional options, click here…
This message is displayed whenever a page contains a link that opens a new window or a script calls a method, such as window.open(), that opens a new window, and the Pop-up Blocker is in effect.
You can configure the blocking of pop-ups by selecting or clearing Block Pop-Ups on the Privacy tab of the Internet Properties dialog box. To configure pop-up blocking exceptions, click Settings on the Privacy tab and set a specific exception. You can also configure an exception for the current site by right-clicking the information bar and selecting Allow Pop-Ups For This Site.
Software Install Blocked. To help protect your security, Internet Explorer stopped this site from installing software on your computer.
As with drivers, digital signatures are checked before downloading and installing ActiveX controls and other executables. This message is displayed whenever you attempt to install an ActiveX control or other executable with a missing or invalid signature. In general, it is a good idea to block these downloads because they are typically from untrusted publishers and might also represent malicious or undesirable types of files, such as adware.
You can configure the blocking of executables by selecting or clearing Allow Software To Run Or Install Even If The Signature Is Invalid on the Advanced tab of the Internet Properties dialog box. To allow only this executable to install, right-click the information bar and select Install Software.
Software Blocked. Your security settings do not allow ActiveX controls to run on this page. This page might not display correctly.
This message is displayed if running of ActiveX controls and plug-ins is disabled or blocked by an administrator.
You can configure the way ActiveX controls and plug-ins run by setting Web zone security settings. On the Security tab of the Internet Properties dialog box, select a Web zone by clicking it and then clicking Custom Level. In the Security Settings dialog box, select the appropriate option for Run ActiveX Controls And Plug-Ins. To allow ActiveX cont
rols and plug-ins only for the current site, right-click the Information Bar and select Allow This Site To Run ActiveX Controls.
Using the Add-On Manager for Internet Explorer
Internet Explorer functionality can be extended and enhanced through add-ons. Many types of add-ons are available, including the following:
Browser helper objects that add help dialog boxes and other help information
Browser extensions that add functionality or enhance browser features
Toolbar options that add menu items and buttons to the browser toolbar
ActiveX controls that provide additional functionality and allow execution of additional types of media such as Shockwave Flash files
As Figure 14-8 shows, these and other types of add-ons can be controlled through the Manage Add-Ons dialog box. To access this dialog box, access the Internet Properties dialog box and then click Manage Add-Ons on the Programs tab. You can then use the following options:
Enable add-ons To enable an add-on that has been disabled previously, select it and then click Enable. If the option is unavailable (dimmed), the Do Not Allow Users To Enable Or Disable Add-Ons policy might be enabled in Group Policy under User ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer.
Disable add-ons To disable an add-on, select it and then click Disable. Internet Explorer Crash Detection enables users to disable add-ons that cause problems with the browser. You can control Crash Detection using the Turn Off Crash Detection policy under User ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer.
Update add-ons If an ActiveX control is known to have an update available (as determined by Automatic Updates), you can select the add-on and click Update ActiveX to update the add-on.
Real World
Because Windows Vista includes a built-in pop-up blocker, pay particular attention to any browser add-ons that act as pop-up blockers. Many Internet service providers (ISPs), Earthlink included, provide pop-up blockers to their customers. Some firewall and antivirus software includes pop-up blockers as well. Running a third party pop-up blocker in addition to the Windows pop-up blocker can lead to results that can be very confusing. Typically, you'll want to use only the Windows pop-up blocker and disable any other pop-up blockers running on the computer. In most cases, you'll find the Windows pop-up blocker is more configurable than other pop-up blockers, and it's easier to work with as well.