Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    Could you provide a link to whatever you are commenting on? I understand most of what you're saying, but a more complete picture would be nice. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

  2. #2
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    He's referring to the latest issue of what used to be Woody's Windows Watch - WINDOWS SECRETS NEWSLETTER (formerly Woody's Windows Watch and Brian's Buzz on Windows) ISSUE 42
    Gre

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    I only read about half of what I'm subscribed to. <img src=/S/laugh.gif border=0 alt=laugh width=15 height=15> And I'm not even subscribed to that one.

  4. #4
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    Humorously (or maybe it is 'sadly'), I try to read most of Woody's newletters. Having Brian at the helm is a little different and I am still not sure I like the 'combination' idea. I had to vent after this one, so I chose this forum. Hope it is OK! ;-]

  5. #5
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Windows Secrets - Protect IE -- part two (N/A)

    I am not entirely sure of my take on Brian's article.

    "What Microsoft suggests, which is absurd " - states that MS "recommends that Windows users change the security settings of the so-called Internet Zone in Internet Explorer to 'High.' " I am not sure that this is really absurd. In fact, later in the same article Brain recommends:

    "To make your Internet Zone more secure, pull down the Tools menu in IE, then click Internet Options and select the Security tab. Select the Internet Zone, then click the Custom Level button. In the dialog box that appears, change the following settings to the values shown: (All items are essentially set to "Disable")." There in lies the inconsistency!

    Brian says that Microsoft's idea is absurd, but then he recommends to MANUALLY accomplish the exact same goal. So is it absurd to make all the necessary changes in a few clicks (set the zone to "High"), or it is absurd to manually change 19 different items in a drop down list?? I think your time is better served if you follow Microsoft's advice; the end result is essentially the same. You can always open the Configure dialog box later and make fine adjustments.

    Next he recommends locking down the My Computer (aka Local Machine) zone. Perhaps things have changed significantly over the past year or two, but on our previous trials locking down the Local Machine zone had the undesirable side effect of stopping many programs from running correctly. The most blatantly obvious one was Windows Explorer. Why? Because WE is a close brethren to IE, and WE uses ActiveX to display some of its more complicated features. In fact, ActiveX is used by many programs that you have installed on your computer. So, shutting down Active Content in the Local Machine zone may not be ideal for many users.

    It is conceivable that MS and other vendors eliminated ActiveX in their new programs, but this article is supposed to be addressed to users that DON'T have WinXP -- and are likely those that don't have the most up-to-date computers.

    I agree completely with adding sites that you trust and visit regularly to the Trusted sites zone -- that is the whole point behind Zone security. That is what you are supposed to do! However, using Jason's Trust Setter is a better option than the one Brian gives. (www.jasons-toolbox.com)

    After ALL the crap that has happened to user's computers over the past year, can ANY ONE argue that the "Internet" should NOT be Restricted??? How many more "Browser Hijacks" and "Drive-by Downloads" do you need to see?? The 'basic' Internet should always be considered Restricted -- that may be sad, but it is definitely true. If you trust a site and want it to use Active Content, then add it to your Trusted sites!

    Lastly, this is sort of bogus -- or at least a little out of date:

    "Many programs other than IE, such as Microsoft Outlook and Outlook Express, use IE's rendering engine to write to the screen, etc. Changing the security settings of the Internet Zone also strengthens these applications, making it safer for you to read e-mail and use these programs in other ways."

    Well, not long ago MS corrected the problem of having its Email Clients opening mail in the Internet zone. The default has been Restricted sites for a long time now. Check your computer right now. So, changing the Internet zone security settings has NO effect on your Email security, unless you have specifically reassigned your Email to the Internet zone (Not recommended). Furthermore, any ActiveX or Scripting these clients do that don't involve an open Email would be done in the Local Machine (My Computer) zone -- because they installed on your Local Machine. Therefore, modifications to the Internet zone security settings AGAIN would not come into play.... FWIW.

  6. #6
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    There are some aspects of the Local Machine Zone advice that do seem to make some sense. So I have been giving it a test run. It does seem, however, that an end result is that opening links in my browser now takes forever and a day - even if it is to a Trusted Site. Do you have any clear understanding which setting affects this? The apps in question are all non-M$, with the sources being a mail client and a text editor. In fact, the text editor white-screened on a 1 Gb RAM machine.

    I do agree that Brian's style is very much different from any of the previous incarnations of Woody's e-zines; right down to the "commercials" being more intrusive. Even TNPC seems more like a Woody product!
    Gre

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    Hmmm... I am not sure why that would occur. On the surface, I don't see a clear relationship. To solve that I might use something like FileMon and RegMon from Sysinternals and see what was really happening during the slow down. Perhaps something is being repetitively accessed for some data that it cannot get?

    Norton/Symantec is a developer that uses a lot of Local Machine ActiveX. I have heard that sp2 breaks a lot of their programs, and perhaps this is the mechanism?? I have been purposefully dragging my feet installing sp2 -- my computer has been 'safe' for years.

  8. #8
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    >Norton/Symantec is a developer that uses a lot of Local Machine ActiveX

    You may (conceivably) have something there - as I do have NAV running. (No other Norton products, however.)

    It's not an SP2 issue. (My extra hard disk connects by FireWire and will not (as yet) function under SP2. Thus I have deinstalled SP2.)
    Gre

  9. #9
    New Lounger
    Join Date
    Oct 2004
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    > ActiveX is used by many programs that you have installed on your
    > computer. So, shutting down Active Content in the Local Machine
    > zone may not be ideal for many users.

    With ActiveX scripting set to "prompt", all of the .chm html
    help files, for Excel, Word, etc, all take extra clicks to open and
    navigate around in.

    How do I add these to the Trusted Zone? I tried different ways of
    entering the path/filename, but kept striking out.

    TIA,

    Andy

  10. #10
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    You have come up against the Catch-22. You would have to put your Local Machine into the Trusted Zone - which defeats the object of the exercise in resetting the Security Levels! <img src=/S/hairout.gif border=0 alt=hairout width=31 height=23> Naturally, if there were some way you could certify individual files as being trustworthy, then you could resolve the issue. AFAIK certification at that kind of level is not available. HTH
    Gre

  11. #11
    3 Star Lounger
    Join Date
    Nov 2004
    Location
    Nottingham, Nottinghamshire, United Kingdom
    Posts
    326
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    Alternatively, a much easier solution is just to switch to Firefox or some other alternative browser... <img src=/S/angel.gif border=0 alt=angel width=15 height=21>
    <font color=448800><font face="Comic Sans MS"><big>Lyra J </font color=448800></font face=comic></big>
    <img src=/S/flags/UK.gif border=0 alt=UK width=30 height=18> Ducking the arrows in Robin Hood country <IMG SRC=http://www.wopr.com/w3tuserpics/Lyra_J_sig.gif ALT="No, Admins, no! I'm sorry, okay!" title="No, Admins, no! I'm sorry, okay!">

  12. #12
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    Uising Firefox is not really a solution for the Local Machine zone -- which is a significant part of the newsletter.

    Yes, there is the Catch-22: as I stated above, if you restrict the Local Machine (My Computer) zone then MANY things do not work correctly on your computer. I do not see this as a viable, long term solution. It is "cutting off your nose to spite your face" -- or something like that! [img]/forums/images/smilies/smile.gif[/img]

    And Unk points out, there is no "fine-grained" control that one could use to set specific restrictions on certain ActiveX controls. Think of the VAST IMPROVEMENT that would be! Let's say you wanted to restrict MOST ALL ActiveX controls in the Internet zone, but you wanted to let Acrotbat Reader run. You can't do it! It is all or nothing: either ALL ActiveX is allowed, or none.

    There are two small caveats, but there is MINIMAL security in those! You can specifically restrict the Downloading of "Unsigned" controls and you can can block controls that are not marked "Safe". But... there is no ActiveX police! Th author of the control is responsible for marking the control "Safe" -- sort of like letting the wolf guard the hen house. There is a scant more safety (perhaps) with downloading only "signed" controls, but I have little faith that advertising companies don't have signatures, or that the really bad guys can't fake them or steal them! So, I would not trust my computer solely to these restrictions...

    SpywareBlaster is an Excellent tool at blocking some of the really bad controls, but it suffers from the same problem as AntiVirus programs -- it relies on a definition list. Once the control makes the list, all the creator has to do is modify ONE LITTLE BIT -- and the control has a completely different Class Identifier, thereby avoiding detection by SpywareBlaster. Don't get me wrong, I love SpywareBlaster, but one has to understand its limitaions.

  13. #13
    New Lounger
    Join Date
    Oct 2004
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    > Naturally, if there were some way you could certify individual
    > files as being trustworthy, then you could resolve the issue.
    > AFAIK certification at that kind of level is not available.

    When I tried to enter a file into the Trusted Zone, I got an error
    message that included:

    You have entered an invalid wildcard sequence.

    Examples of valid patterns:

    file:localsvrshare

    It sounded like *some* kind of file would be permissible, so I fooled
    with things like - file:*.chm, *.chm , *.chm, C:*.chm, etc.

    Guess not, as you said.

    oh well

    Andy

  14. #14
    5 Star Lounger
    Join Date
    Jan 2002
    Location
    Midlothian, Virginia, USA
    Posts
    874
    Thanks
    0
    Thanked 2 Times in 1 Post

    Re: Windows Secrets - Protect IE -- part two (N/A)

    >> Next he recommends locking down the My Computer (aka Local Machine) zone. Perhaps things have changed significantly over the past year or two, but on our previous trials locking down the Local Machine zone had the undesirable side effect of stopping many programs from running correctly. <<

    You are soooo right! Unfortunately, I'm real late coming in on this subject. I didn't get around to reading that newsletter until a couple of weeks ago and I haven't been regularly reading messages in this form. I implemented Brian's suggestions and I was locked out of nearly everything! It isn't easy to add all the necessary addresses to the Trusted Zone, but that is the smallest part of the problem. After I increased the security in the My Computer zone, I could not get into this forum to ask about it! And I could not download Firefox to get out of the problem. And the My Computer zone does not have an active Default button to return you to an acceptable state. For a long while I didn't have any idea that the changes in the My Computer zone was causing the problem so I didn't go in there and change the settings. I asked about the problem on a CompuServe forum and nobody there seemed to have read that newsletter or had any idea why I had followed such ridiculous advice! I finally changed the My Computer zone settings to some basically wide open settings and now I can get in here. I don't know what settings should really be used there, but I've downloaded and installed Firefox and I'll probably use it whenever I can at this point. Anyway, I think it is a real shame for Woody to be associated with a newsletter that would give such ridiculous advice.

    Bill

  15. #15
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Secrets - Protect IE -- part two (N/A)

    Something that was implicit (rather than explicitly stated) in what the Newsletter said was that it effectively involved changng the Registry. It did specifically point you to which Registry key was in point. Thus, I backed up/exported the Registry key before I changed it and was able to change it back. You can try exporting the settings from a similar set-up. As ever, back up your exisiting settings first! HTH
    Gre

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •