IE6 Security Settings (archived)
Do something about your browser, no matter which track -- basic, strong or robust -- you're on. It can easily be the weakest link in the chain otherwise.
ZDNet and CERT have illustrated instructions for IE 6 security settings. Their advice and mine may not agree. You get to make up your own mind -- that's part of the fun. :-) If you want to understand more about Internet security settings, study this.
To access Internet Explorer security options: [Click "Tools" ("View" in earlier versions of IE) > "Internet Options" > "Security" (tab) > click the "Custom Level" button. Use the recommended settings listed below.
IE security options were changed by SP2 for Windows. Some settings were added, as noted by "**" and the "Information Bar" was added, which makes IE safer and easier to use.
- **Automatic prompting for ActiveX controls: Disable or Prompt (prompt enables the Information Bar)
- **Binary and script behaviors: Disable or Prompt
- Download signed ActiveX controls: Disable or Prompt
- Download unsigned ActiveX controls: Disable or Prompt
- Initialize and script ActiveX controls not marked as safe: Disable or Prompt
- Run ActiveX controls and plug-ins: Disable or Prompt
- Script ActiveX controls marked safe for scripting: Disable or Prompt
- **Automatic prompting for file downloads: Enable (prompt enables the Information Bar)
- Downloads: Enable
- Font Download: Prompt
- Access data sources across domains: Disable or Prompt
- Allow META REFRESH: Disable
- Display mixed content: Disable or Prompt
- Don't prompt for client certificate selection...: Disable
- Drag and drop or copy and paste files: Prompt
- Installation of desktop items: Disable or Prompt
- Allow cookies that are stored on your computer: Disable
- Allow per-session cookies (not stored): Enable
- Java permissions: High safety
- Launching programs and files in an IFRAME: Disable or Prompt
- Navigate sub-frames across different domains: Disable or Prompt
- Software channel permissions: High safety
- Submit non-encrypted form date: Disable or Prompt
- Userdata persistence: Disable
- Active scripting: Disable or Prompt
- Allow paste operations via script: Disable or Prompt
- Scripting of Java applets: Disable or Prompt
- Logon: Automatic logon only in Intranet zone
Some sites may not work well, or at all, after you change these settings. Others may bug you with incessant requests. Many people give up and allow active scripting. Don't do that. Keep your base configuration safe and bypass security constrictions for sites that you trust.