Re: Possible IE 6 Bug - Differences Between Windows Explorer And IE

From: Kevin Watkins (mrkwatkins_at_hotmail.com)
Date: 04/19/04

  • Next message: Nils Magnus Englund: "Combining forms and Windows authentication"
    Date: 19 Apr 2004 02:00:14 -0700
    
    

    > Hi Kevin,
    >
    > This is not a bug in any version of the browser. This is by-design. One
    > process cannot access the memory for another process. As you have seen,
    > when you browse a URL via a Windows Explorer window, it will browse that
    > URL via the explorer.exe process. If you then open a new window, it will
    > launch a new iexplore.exe process, and that iexplore.exe process cannot
    > access the memory space for the explorer.exe process.
    >
    > There is a way that you can force the process to not cache credentials in
    > this scenario. Open an Explorer window and click on Tools, Folder Options.
    > Click the View tab and select the option to "Launch folder windows in a
    > separate process." After you check that, restart the computer. Now
    > credentials will no longer be cached after the Windows Explorer window is
    > closed and a new one opened.

    Hi,

    Thanks for your reply. I have just tested this again under IE5.5 and I
    get different behaviour. The 'Launch folder windows in a separate
    process' isn't ticked, yet the credentials do not get cached when I
    shut the Windows Explorer window with my site in.

    I can understand this being by design, but may I ask what the
    rationale is? The design appears to have changed from 5.5 to 6
    according to my simple tests, and surely not launching an iexplore.exe
    process from Windows Explorer makes everything less secure? (In that
    another user could gain access to the PC and gain login credentials,
    whereas they couldn't if an iexplore.exe was launched) Especially
    seeing as this box is not ticked by default.

    I'm still thinking there must be a solution to this though. I cannot
    get all my users to tick that box, because most of them won't and
    people may login using public computers anyway. Many other sites I use
    on the internet don't suffer from this problem, so I'm assuming there
    must be something I can do to my site to plug this security hole? Is
    there anything you can think of that might help?

    Thanks,

    Kev


  • Next message: Nils Magnus Englund: "Combining forms and Windows authentication"

    Relevant Pages

    • Re: Possible IE 6 Bug - Differences Between Windows Explorer And IE
      ... >> There is a way that you can force the process to not cache credentials ... >> credentials will no longer be cached after the Windows Explorer window ... The 'Launch folder windows in a separate ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • RE: software to remove IE toolbar or BHO?
      ... Please use the following steps to remove the toolbar for IE: ... Open a Windows Explorer window by right Click My Computer and choose ... Backup the key and then delete Extension key. ...
      (microsoft.public.security)
    • Re: Granting ASP.NET write access to a file
      ... It sounds like you're using Windows XP. ... To enable the security tab you must disable simple file sharing. ... open any windows explorer window and choose Folder Options from ... Scroll to the bottom of the list and uncheck the Use Simple File Sharing ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: separate IE instances?
      ... > To open directley to that page. ... The thing to note is that hwnds brings back a list of all Internet Explorer ... like a simple Windows Explorer window ...
      (comp.lang.python)
    • RE: synchronizing domain user Local cached credentials with domain
      ... Would you mind emailing me your script? ... windows taskbar bubble which would indicate that their password needs to be ... locally cached credentials are out of sync with domain credentials. ...
      (microsoft.public.windowsxp.security_admin)