Re: Possible IE 6 Bug - Differences Between Windows Explorer And IE
From: Jim Cheshire [MSFT] (jamesche_at_online.microsoft.com)
Date: Mon, 19 Apr 2004 15:12:33 GMT
I'm not sure why you would see different behavior between IE 5 and 6. You
might want to post this question in the IE Client newsgroup for input
Jim Cheshire, MCSE, MCSD [MSFT]
This post is provided "AS-IS" with no warranties and confers no rights.
>From: firstname.lastname@example.org (Kevin Watkins)
>Subject: Re: Possible IE 6 Bug - Differences Between Windows Explorer And
>Date: 19 Apr 2004 02:00:14 -0700
>Content-Type: text/plain; charset=ISO-8859-1
>X-Trace: posting.google.com 1082365215 17082 127.0.0.1 (19 Apr 2004
>NNTP-Posting-Date: Mon, 19 Apr 2004 09:00:15 +0000 (UTC)
>> Hi Kevin,
>> This is not a bug in any version of the browser. This is by-design.
>> process cannot access the memory for another process. As you have seen,
>> when you browse a URL via a Windows Explorer window, it will browse that
>> URL via the explorer.exe process. If you then open a new window, it
>> launch a new iexplore.exe process, and that iexplore.exe process cannot
>> access the memory space for the explorer.exe process.
>> There is a way that you can force the process to not cache credentials
>> this scenario. Open an Explorer window and click on Tools, Folder
>> Click the View tab and select the option to "Launch folder windows in a
>> separate process." After you check that, restart the computer. Now
>> credentials will no longer be cached after the Windows Explorer window
>> closed and a new one opened.
>Thanks for your reply. I have just tested this again under IE5.5 and I
>get different behaviour. The 'Launch folder windows in a separate
>process' isn't ticked, yet the credentials do not get cached when I
>shut the Windows Explorer window with my site in.
>I can understand this being by design, but may I ask what the
>rationale is? The design appears to have changed from 5.5 to 6
>according to my simple tests, and surely not launching an iexplore.exe
>process from Windows Explorer makes everything less secure? (In that
>another user could gain access to the PC and gain login credentials,
>whereas they couldn't if an iexplore.exe was launched) Especially
>seeing as this box is not ticked by default.
>I'm still thinking there must be a solution to this though. I cannot
>get all my users to tick that box, because most of them won't and
>people may login using public computers anyway. Many other sites I use
>on the internet don't suffer from this problem, so I'm assuming there
>must be something I can do to my site to plug this security hole? Is
>there anything you can think of that might help?