Site hosted by Angelfire.com: Build your free website today!
Chapter 24: Browsing the World Wide Web with Internet Explorer

PreviousChapterContentsGlossaryNext

Managing Internet Explorer's Security and Privacy Settings

You should keep two risk factors in mind when you use the Web:

This section discusses the tools and options that Internet Explorer provides for dealing with these risks. Also see the section "Managing Which Files Internet Explorer Downloads" in Chapter 31.

Controlling Cookies

Internet Explorer 6 gives you much more control over cookies than previous versions of Internet Explorer did. Unfortunately, IE 6's privacy level settings make the situation seem much more complicated than it is, and none of them is a very good cookie policy. However, you can override Internet Explorer's automatic cookie-handling system to set up a simple, sensible cookie policy.

The next few sections explain what cookies are and how the P3P privacy protection system works. If you don't care about that and just want to know what to do, skip ahead to the "Setting Cookie Policy" section.

What Are Cookies?

A cookie is a small (at most 4K) file that a Web server can store on your machine. Its purpose is to allow a Web server to personalize a Web page, depending on whether you have been to that Web site before and what you may have told it during previous sessions. For example, when you establish an account with an online retailer or subscribe to an online magazine, you may be asked to fill out a form that includes some information about yourself and your preferences. The Web server may store that information (along with information about when you visit the site) in a cookie on your machine. When you return to that Web site in the future, the retailer's Web server can read its cookie, recall this information, and structure its Web pages accordingly.

Much has been written about whether cookies create a security or privacy hazard for you. If your Web browser is working properly, the security hazard is minimal. It is, at first glance, unsettling to think that Web servers are storing information on your hard drive without your knowledge. But cookies are not executable programs. They cannot, for example, search for and accumulate information from elsewhere on your system. They simply record information that you have already given to the Web server.

The privacy issue is real, however. Cookies do make it easier for advertising companies to gather information about your browsing habits. For example, a company that advertises on a large number of Web sites can use cookies to keep track of where you have seen its ads before, and which ads (if any) you clicked. In this way advertisers can learn your interests and perhaps deduce more about you than you would want them to know.

Cookies are of two basic kinds: first-party cookies and third-party cookies. (You are considered to be the second party.) The difference is in where they come from. First-party cookies are cookies that come directly from the Web site you asked for. For example, if you register with Yahoo and personalize a Yahoo start page, the cookie that Yahoo sets is a first-party cookie. Third-party cookies are cookies that come from Web servers that you may not realize you are dealing with. For example, the Yahoo start page may contain advertising placed by an agency like DoubleClick, and the cookie that the advertising agency sets is a third-party cookie.

What Is P3P?

The Platform for Privacy Preferences (P3P) is a new open standard (which Internet Explorer 6 supports) for Web sites to specify their privacy policies in a form that can be read by computers. The idea is that you can decide once and for all how high to set your privacy standards, and your Web browser can compare your decisions to the privacy policies of the Web sites you visit, warning you if your standards are about to be violated.

Here's how it works: The people who create Web sites fill out a multiple-choice form about what information their Web site collects, what it does with that information, and how long it keeps the information. Their answers get codified into tags that get attached to their Web pages-tags that browsers like IE 6 can read but typically don't display. You set one of five privacy levels that IE 6 offers, and it blocks cookies and issues privacy warnings accordingly.

The benefit of the system is that the multiple-choice questions at least pin down the Web sites. Up until now, most Web sites either have not had privacy policies or have written them in impenetrable legalese. It has been completely impractical to read the privacy policies of all the Web sites you visit and make individual judgments about them.

The system has several weaknesses, however, and at the moment it is unclear whether it will do any good. First, it's voluntary--Web sites don't have to fill out the questionnaire, and if very few do, the system will be useless. (This is what happened to the PICS system for rating the sex-and-violence content of Web sites. See "Blocking Offensive Web Content" earlier in this chapter.) Second, it's nobody's job to verify that the Web sites have answered the questions honestly. Finally, you have to count on the browser makers to implement P3P in a way that lets you do what you want to do in a simple, understandable fashion. Since Microsoft is a major player in e-commerce and Web advertising, its sympathies are at least as much with the advertisers as with you, and they have designed Internet Explorer 6 accordingly.

You can read more about the Platform for Privacy Preferences (P3P) at http://www.w3.org/P3P.

How Does Internet Explorer Implement P3P Privacy Policies?

The privacy tab of the Internet Options dialog box contains a slider that you can set to one of six levels from Accept All Cookies to Block All Cookies. The default level is Medium. The descriptions of these levels are phrased using technical terms like personally identifiable information, implicit consent, explicit consent, and compact privacy policy. What follows is our interpretation of what these levels actually mean.

What Is a Sensible Cookie Policy?

First we'll tell you what you don't want: You don't want to block all cookies, because you give up much of the functionality and convenience of the Web. You also don't want Internet Explorer to ask you what to do every time a Web site wants to set a cookie, because you'll spend more time deciding about cookies than you'll spend reading Web pages.

You do want to make a distinction between first-party and third-party cookies, because third-party cookies benefit only the advertisers, not you.

The cookie policy we'd like to have is Medium High for first-party cookies, and block third-party cookies altogether. This does not seem to be possible with Internet Explorer. Given that fact, we recommend the following policy: accept all first-party cookies and block all third-party cookies. This isn't one of the six levels on the slider, but you can configure Internet Explorer to do it.

Another reasonable option (but somewhat more difficult to set up) is to select the High level and then create exceptions for a few favorite Web sites whose cookies are blocked. This policy allows a few more third-party cookies and a few less first-party cookies than the policy suggested in the previous paragraph. However, this option stops many shopping sites from working, because the sites use shopping-cart programs hosted on third-party Web sites. (Another options is to use Netscape instead of IE, because of its more flexible cookie policies.)

Setting Cookie Policy

Cookie policy is controlled from the Privacy tab of the Internet Options dialog box. If you want one of the settings described in the previous section, move the slider to that setting and click OK.

If you want to set up our recommended cookie policy (allow first-party and block third-party cookies), do the following:

  1. Select Tools | Options to open the Internet Options dialog box.
  2. Select the Privacy tab of the Internet Options dialog box (see Figure 24-6).
[figure]
Figure 24-6: Setting IE's privacy options
  1. Click the Advanced button on the Privacy tab. The Advanced Privacy Settings box appears.
  2. Check the Override Automatic Cookie Handling box.
  3. Select the Accept radio button under First-Party Cookies and the Block radio button under Third-Party Cookies.
  4. Click OK in both of the open dialog boxes.

If a particular Web site is not working because its cookies are being blocked, you can choose to create an exception for it without changing your settings for other Web sites. (For reasons that escape us, Microsoft has made this option unavailable if you have chosen the Block All Cookies setting.) Do the following:

  1. Select Tools | Options to open the Internet Options dialog box.
  2. Select the Privacy tab of the Internet Options dialog box.
  3. Click the Edit button on the Privacy tab. The Per Site Privacy Actions box opens.
  4. Type the URL of the Web site into the Address Of Web Site line.
  5. Click the Allow button and click OK in both open dialog boxes.

If you want to block the cookies on a particular Web site when your overall policy would allow them, do the previous steps, but click the Block button in Step 5.

tip The first time you use MSN Explorer, the setup program requires you to move your privacy setting down to Medium. However, as soon as the setup is finished you can move your privacy settings back up. Any setting but Block All Cookies allows the great majority of MSN Explorer's features to continue working.

Managing the Cookies You Have

Windows stores your cookies in two folders:

Reading a cookie in WordPad or some other text program probably will not tell you much, though it may set your mind at ease to realize just how little information is there. Delete individual cookies from your system by deleting the corresponding text files, or nuke them all by clicking the Delete Cookies button on the General tab of the Internet Options dialog box.

Managing Scripts, Applets, and ActiveX Controls

Some Web pages increase the amount of interactivity they can offer by downloading small programs to run on your computer. For example, rather than transmitting the individual frames of an animation over the Internet, a Web server may send an animation-constructing program that runs on your computer. A financial Web site may download a program that displays a scrolling stock ticker. Typically, this process is invisible to the user--the interaction or the animation just happens, without calling your attention to how it happens.

While these programs are useful, they also create security issues. If Web sites can put useful programs on your computer and run them without informing you, precautions must be taken to make sure that they can't also put harmful programs on your computer. Internet Explorer takes certain precautions automatically and allows you the option to choose additional precautions.

What Are Java, JavaScript, VBScript, and ActiveX?

Java is a language for sending small applications (called applets) over the Web so that they can be executed by your computer. JavaScript is a language for extending HTML to embed small programs called scripts in Web pages. VBScript, a language that resembles Microsoft's Visual Basic, can be used to add scripts to pages that are displayed by Internet Explorer. Anything that VBScript can do, JavaScript (which Microsoft calls JScript) can do, too and vice versa.

ActiveX controls, like Java, are a way to embed executable programs into a Web page. Unlike Java and JavaScript, but like VBScript, ActiveX is a Microsoft system that is not used by Navigator or most other browsers. When Internet Explorer encounters a Web page that uses ActiveX controls, it checks to see whether that particular control is already installed; if it is not, IE installs the control on your machine.

caution ActiveX controls are considerably more dangerous than JavaScript or VBScript scripts or Java applets. Java applets and JavaScript scripts are run in a "sandbox" inside your Web browser, which limits the accidental or deliberate damage they can do; and VBScript scripts are run by an interpreter, which should limit the types of damage they can do. However, ActiveX controls are programs with full access to your computer's resources.

Security Zones

Internet Explorer has different security settings for its four zones: Trusted Sites, Local Intranet, Internet, and Restricted Sites. The default settings are Low in the Trusted Sites zone, Medium-Low in the Local Intranet zone, Medium in the Internet zone, and High in the Restricted Sites zone. These zones and settings are discussed Chapter 31.

The rules governing scripts and applets are set zone by zone on the Security tab of the Internet Options dialog box. To examine or change these settings:

  1. Open the Internet Options dialog box by selecting Tools | Internet Options from the Internet Explorer menu bar.
  2. Click the Security tab of the Internet Options dialog box.
  3. Select the zone you want to examine or change.
  4. If you want to change the security setting of a zone, move the slider on the Security tab of the Internet Options dialog box. (The slider doesn't appear if the zone has been given custom settings. To reset such a zone to one of the standard settings, click the Default Level button. When the slider reappears, you can move it to the desired setting.)
  5. To see the nitty-gritty details of the current security settings for the selected zone, click the Custom Level button. The Security Settings dialog box opens.
  6. If you want to change the security settings of the selected zone, scroll through the Security Settings dialog box until you see the item you want to change. Change an item by checking or unchecking its check box, or by selecting a different radio button than the current selection.
  7. Click OK to close each open dialog box. Click Yes in the confirmation box that asks if you want to change the security settings.

Managing Java and JavaScript

The security settings that affect Java and JavaScript are in the Java and Scripting sections of the Security Settings dialog box. You may change what these applets and scripts are allowed to do on your computer, or even disable Java or JavaScript entirely. Follow the steps in the previous section.

Managing ActiveX Controls

We have never been big fans of ActiveX controls. They allow Web sites to have too much power over your system and are hard to monitor. If you should happen to download and install a rogue ActiveX control by mistake, it could (on its own) download and install lots more rogue ActiveX controls--which would then be permanent parts of your software environment, even when you are offline. None of this would appear the least bit suspicious to any virus-detecting software you might own, because ActiveX controls aren't viruses: They have the same status as applications that you install yourself.

Disabling ActiveX controls is one option. However, if you frequent Microsoft Web sites like MSN or MSNBC, you will be exposed to numerous temptations to turn them back on. (We finally gave in to the excellent portfolio-tracking services at MSN Moneycentral.) We suggest the following compromise: Disable ActiveX controls everywhere but in the Trusted Sites security zone. (Do this from the Security Settings dialog box, following the steps in the "Security Zones" section above.) When you find a Microsoft Web site that offers some wonderful service involving ActiveX controls, move that site into the Trusted Sites security zone. See Chapter 31 for a discussion of security zones and trusted sites.

ActiveX controls are stored in the folder C:\Windows\Downloaded Program Files. If you use Internet Explorer, you should check this file periodically to see what applications Internet Explorer has downloaded. Dispose of an ActiveX control by right-clicking its icon and selecting Remove from the shortcut menu.

2)Displaying a Privacy Report About a Web Page

New for Internet Explorer 6, the Privacy Report helps you determine how much information you are willing to give a particular site. It also enables you to determine what kind of information a site is storing on your computer and whether the site complies with its own privacy policy.

The primary drawback here is that Microsoft has aligned itself with TRUSTe (at http://www.truste.org), a self-proclaimed privacy watchdog group. However, TRUSTe predominantly sells their services as a site evaluator, only requiring sites to post a privacy policy. Posting a policy, no matter how good it looks, is no guarantee that it will be adhered to. Only trust those you know you can trust, and don't leave the trusting up to a third party.

Accessing the Windows Privacy Report is easy. In Internet Explorer, choose View | Privacy Report from the menu. You see a list of the objects that are loaded on the page you are looking at, typically graphics, like this:
[image]

These connected objects may be on the same Web server as the page itself or might have been loaded from other Web servers. If any of the objects listed have placed a cookie on your computer, you see it listed in the column to the right.

caution By using a tiny, invisible 1 pixel x 1 pixel image on many Web pages, DoubleClick (an online advertising company) can secretly install tracking cookies on your computer. These cookies, though harmless, can pass back information about where on the site you are going. This data is collected and then used to develop visitor profiles. They can also track you when you go to other sites that carry DoubleClick ads.

Click the Settings button to see the Privacy tab of the Internet Options dialog box (these options are covered in Chapter 24). The Advanced button enables you to set how cookies are dealt with. Our favorite arrangement is to allow cookies from the originating server but to refuse them from any external servers. This almost globally allows cookies that are specific to your browsing while rebuffing those that are used for external tracking and advertising information gathering.

PreviousChapterContentsGlossaryNext