Internet Explorer 6 SP1 security changes

From: Tom Gilder (tom@TOM.ME.UK)
Date: 08/08/02

Date:         Thu, 8 Aug 2002 18:26:23 +0100
From: Tom Gilder <tom@TOM.ME.UK>

Here are some details about security changes in IE6 SP1. These changes are
available in the iereadme.txt file, from

Please note that SP1 has *not* been officially announced by Microsoft yet, the
files on the Windows Update might not be final.

In Internet Explorer: can no longer open in full-screen mode
In Internet and Restricted Sites zones, can no longer open
in full-screen "kiosk" mode.

Window placement
Windows can no longer be moved off the screen using the move, resize,
and open methods of the window object.

ActiveX must be enabled to install COM server
ActiveX must now be enabled in order to install a COM server. As a
result, Internet Explorer 6 SP 1 now checks to see if ActiveX is
enabled before installing a COM server.

Setting and retrieving cookies
In order for cookies (both session and persistent) to be set and/or
retrieved, server names can only contain "A-Z", "a-z", "0-9", "-",
and a ".". Anything else like a "_" will result in cookies not being
set or retrieved.

WebOC can no longer be used on the Internet. It can only be used on
the intranet.

The codeBase attribute of an OBJECT tag can no longer specify a
local path.

Security settings
The settings for the security levels of the Web content zones
have changed for Internet Explorer 6 SP 1 and might no longer be
consistent with those in earlier versions of Internet Explorer. If
you upgrade from a previous version of Internet Explorer, Setup will
save your previous security settings and transfer them to
Internet Explorer 6 SP 1 as a Custom Security Level.

Frames and IFRAMES disabled in the restricted zone
Frames (including IFRAMES) have been completely disabled in the
restricted zone. Any sites added to the restricted zone will not render
frames. Because mail runs in the restricted zone no frames will be
rendered in any mail message. Please be aware that your e-mail
client must be running in the restricted zone (using the default
settings) to take advantage of this feature.

Download file dialog box has changed
The dialog box that prompts you to Open, Save, or Cancel the download
of a file has changed. When files that can contain viruses (or are
executables themselves) are being downloaded the Open/Save dialog
box will contain a warning icon as well as an extra line of text
telling users "This type of file could harm your computer if it
contains malicious code."

Gopher protocol
The gopher protocol has been disabled by default. If you must use
gopher you can re-enable the functionality by setting the following
registry key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Internet Settings]"EnableGopher"=dword:00000001

And in Outlook Express:

Virus protection feature
Virus protection is the answer to renewed interest in the threat of
e-mail viruses. It blocks programmatic sends and lets users specify
if they want to open or save attachments. This option to block the
preset list of file types may be accessed via the checkbox under
Tools | Options | Security | "Do not allow attachments to be opened or
saved that could potentially be a virus." This option is enabled by
default for new installations and upgrades.

Additional changes prevent automatic execution of script in messages
designated as plain text. FRAMES and IFRAMEs are also now blocked
for the Restricted Sites Zone by default (where Outlook Express runs
by default). This eliminates a primary source of virus scripts embedded
in e-mail. FRAMEs in e-mail will no longer display using the default
settings in Outlook Express. To view the FRAMEs, the user may use
the Plain Text option (see below) to move the FRAMES to an attachment
that may be viewed, enable FRAMES for the Restricted Sites Zone
(not recommended), or move Outlook Express out of the
Restricted Sites Zone (highly NOT recommended).

Plain text e-mail option
Outlook Express now has the ability to read all messages as plain
text. Users may set this option in Tools/Options/Read/"Read all messages
in plain text." When this option is selected, all received mail is
viewed in plain text format. This option is disabled by default. When
enabled, mail received that is in HTML format will display only the
plain text portions; HTML sections will be moved to an HTML attachment
and will be indicated by a paperclip icon in the Preview Pane or will
be shown in the attachment well of the open message. Also see the
"Virus Protection" section above regarding display of FRAMES with the
Plain Text option enabled as well as the option to block potentially
unsafe attachments, including HTML files.

Tom Gilder