Re: Possible IE 6 Bug - Differences Between Windows Explorer And IE

From: Kevin Watkins (
Date: 04/19/04

  • Next message: Nils Magnus Englund: "Combining forms and Windows authentication"
    Date: 19 Apr 2004 02:00:14 -0700

    > Hi Kevin,
    > This is not a bug in any version of the browser. This is by-design. One
    > process cannot access the memory for another process. As you have seen,
    > when you browse a URL via a Windows Explorer window, it will browse that
    > URL via the explorer.exe process. If you then open a new window, it will
    > launch a new iexplore.exe process, and that iexplore.exe process cannot
    > access the memory space for the explorer.exe process.
    > There is a way that you can force the process to not cache credentials in
    > this scenario. Open an Explorer window and click on Tools, Folder Options.
    > Click the View tab and select the option to "Launch folder windows in a
    > separate process." After you check that, restart the computer. Now
    > credentials will no longer be cached after the Windows Explorer window is
    > closed and a new one opened.


    Thanks for your reply. I have just tested this again under IE5.5 and I
    get different behaviour. The 'Launch folder windows in a separate
    process' isn't ticked, yet the credentials do not get cached when I
    shut the Windows Explorer window with my site in.

    I can understand this being by design, but may I ask what the
    rationale is? The design appears to have changed from 5.5 to 6
    according to my simple tests, and surely not launching an iexplore.exe
    process from Windows Explorer makes everything less secure? (In that
    another user could gain access to the PC and gain login credentials,
    whereas they couldn't if an iexplore.exe was launched) Especially
    seeing as this box is not ticked by default.

    I'm still thinking there must be a solution to this though. I cannot
    get all my users to tick that box, because most of them won't and
    people may login using public computers anyway. Many other sites I use
    on the internet don't suffer from this problem, so I'm assuming there
    must be something I can do to my site to plug this security hole? Is
    there anything you can think of that might help?



  • Next message: Nils Magnus Englund: "Combining forms and Windows authentication"