Kenmark
International
Internet Explorer security levels compared
A pretty good question came across the newsgroups the other day. Someone was asking what are the differences between IE's "medium" and "medium-high" security settings. I did some digging, and found only this on MSDN: About URL security zone templates. No wonder it's difficult to find -- the terminology is different, and the table is organized by URL actions, not by the text in the dialog.
Someone on the IE security team forwarded me a document that had additional details. So here, for your enjoyment, is a chart listing the default settings for each security level. To answer the newsgroup poster, "medium" and "medium-high" aren't the same.
About the formatting: to get it to fit within the width of the blog's text section, I've made some abbreviations.
| Column headings | Entries |
| H | High | D | Disable |
| MH | Medium-high | E | Enable |
| M | Medium | P | Prompt |
| ML | Medium-low | ||
| L | Low |
In a few cases, the table shows a number rather than D or E or P; below the table is a description of each such entry.
At the very bottom of this post I've included the settings from the privacy tab, too.
Note: these settings reflect those for Internet Explorer 7 on Vista SP1. Please see the MDSN link above for differences between IE 6 and IE 7.
.NET Framework
| H | MH | M | ML | L | |
| Loose XAML | D | E | E | E | E |
| XAML browser applications | D | E | E | E | E |
| XPS documents | D | E | E | E | E |
.NET Framework-reliant components
| H | MH | M | ML | L | |
| Permissions for components with manifests | D | 1 | 1 | 1 | 1 |
| Run components not signed with Authenticode | D | E | E | E | E |
| Run components signed with Authenticode | D | E | E | E | E |
1 = High safety
ActiveX controls and plug-ins
| H | MH | M | ML | L | |
| Allow previously unused ActiveX controls to run without prompt | D | D | E | E | E |
| Allow scriptlets | D | D | D | E | E |
| Automatic prompting for ActiveX controls | D | D | D | E | E |
| Binary and script behaviors | D | E | E | E | E |
| Display video and animation on a Web page that doesn't use an external media player | D | D | D | D | D |
| Download signed ActiveX controls | D | P | P | P | E |
| Download unsigned ActiveX controls | D | D | D | D | P |
| Initialize and script ActiveX controls not marked as safe for scripting | D | D | D | D | P |
| Run ActiveX controls and plug-ins | D | E | E | E | E |
| Script ActiveX controls marked as safe for scripting | D | E | E | E | E |
Downloads
| H | MH | M | ML | L | |
| Automatic prompting for file downloads | D | E | E | E | E |
| File download | D | E | E | E | E |
| Font download | P | E | E | E | E |
Enable .NET Framework setup
| H | MH | M | ML | L | |
| Enable .NET Framework setup | D | E | E | E | E |
Miscellaneous
| H | MH | M | ML | L | |
| Access data sources across domains | D | D | D | P | E |
| Allow META REFRESH | D | E | E | E | E |
| Allow scripting of Internet Explorer Web browser control | D | D | D | E | E |
| Allow script-initiated windows without size or position constraints | D | D | D | E | E |
| Allow web pages to use restricted protocols for active content | D | P | P | P | P |
| Allow web sites to open windows without address or status bars | D | D | D | E | E |
| Display mixed content | P | P | P | P | P |
| Don't prompt for client certificate selection when no certificates or only one certificate exists | D | D | D | E | E |
| Drag and drop or copy and paste files | P | E | E | E | E |
| Include local directory path when uploading files to a server | D | E | E | E | E |
| Installation of desktop items | D | P | P | P | E |
| Launching applications and unsafe files | D | P | P | E | E |
| Launching programs and files in an IFRAME | D | P | P | P | E |
| Navigate sub-frames across different domains | D | D | D | E | E |
| Open files based on content, not file extension | D | E | E | E | E |
| Software channel permissions | 1 | 2 | 2 | 2 | 3 |
| Submit non-encrypted form data | P | E | E | E | E |
| Use phishing filter | E | E | E | D | D |
| Use pop-up blocker | E | E | E | D | D |
| Userdata persistence | D | E | E | E | E |
| Web sites in less privileged content zone can navigate into this zone | D | E | E | E | P |
1 = Prohibit downloads from software update channels
2 = Cache content downloaded from software update channels
3 = Automatically install software updates
Scripting
| H | MH | M | ML | L | |
| Active scripting | D | E | E | E | E |
| Allow programmatic clipboard access | D | P | P | P | E |
| Allow status bar updates via script | D | D | D | E | E |
| Allow Web sites to prompt for information using scripted windows | D | D | E | E | E |
| Scripting of Java applets | D | E | E | E | E |
User authentication
| H | MH | M | ML | L | |
| Logon | 1 | 2 | 2 | 2 | 3 |
1 = Prompt the user for name and password
2 = Automatic logon only in intranet zone
3 = Automatic logon with current user name and password
Privacy settings (on the "Privacy" tab)
| H | MH | M | ML | L | |
| Allow persistent cookies | D | E | E | E | E |
| Allow per-session cookies | D | E | E | E | E |
| Allow third-party persistent cookies | D | P | P | E | E |
| Allow third-party session cookies | D | E | E | E | E |