The Web makes our world
simultaneously bigger and smaller; it's hard to imagine computing—or
even a meal—without a web browser within reach. It's also hard to forget
everything that comes along for the ride, such as pop ups, spam, and
the constant reminders that "your privacy may be at risk."
1. Lock Down Internet Explorer
Over
the years, Microsoft has fixed dozens of security holes in Internet
Explorer, and if you've been using the Windows Update feature regularly,
you already have the latest and greatest fixes installed. But the
larger issue is IE's underlying design—and its cozy connection with the
underlying operating system—which permits any web site to install
software on your PC. At first, web site designers used this capability
sparingly, mostly to install widgets and small helper programs to add
trivial features to their pages. But it didn't take long for
unscrupulous hackers and greedy corporate executives to learn how to
exploit Internet Explorer's open nature, which is why we now have
spyware, adware, browser hijackers, pop ups, and other nasty surprises.
Despite these problems, Microsoft has too much corporate strategy tied
up in this design to change it now, which leaves you with two choices:
hobble Internet Explorer by turning off the most dangerous features, or
use a different browser (or both).
If you want to stick with Internet Explorer for now, open Control Panel and then Internet Options (or in IE, open the Tools drop-down and select Internet Options). Choose the Security tab, and turn on the Enable Protected Mode option if it's not already enabled. Then select the Internet "zone" globe icon at the top, and then click Custom Level below to open the Security Settings dialog box shown in Figure 1.
Next,
go down the list, and set the options as follows. (Note that your list
may differ slightly as the result of recent updates from Microsoft.)
|
Option
|
Set to...
|
|---|
|
.NET Framework → Loose XAML
|
Disable
|
|
.NET Framework → XAML browser applications
|
Disable (!)
|
|
.NET Framework → XPS documents
|
Disable
|
|
.NET Framework-related → Run components not signed with Authenticode
|
Disable (!)
|
|
.NET Framework-related → Run components signed with Authenticode
|
Disable
|
|
ActiveX controls → Allow previously unused ActiveX controls to run...
|
Disable
|
|
ActiveX controls → Allow scriptlets
|
Disable
|
|
ActiveX controls → Automatic prompting for ActiveX controls
|
Disable
|
|
ActiveX controls → Binary and script behaviors
|
Administrator approved
|
|
ActiveX controls → Display video and animation on a web page that does not use external media player
|
Disable
|
|
ActiveX controls → Download signed ActiveX controls
|
Disable (!)
|
|
ActiveX controls → Download unsigned ActiveX controls
|
Disable (!)
|
|
ActiveX controls → Initialize and script ActiveX controls not marked as safe
|
Disable (!)
|
|
ActiveX controls → Run ActiveX controls and plug-ins
|
Administrator approved
|
|
ActiveX controls → Script ActiveX controls marked safe for scripting
|
Disable
|
|
Downloads → Automatic prompting for file downloads
|
Disable
|
|
Downloads → File download
|
Enable
|
|
Downloads → Font download
|
Prompt
|
|
Enable .NET Framework setup
|
Disable
|
|
Java VM → Java permissions
|
High safety
|
|
Miscellaneous → Access data sources across domains
|
Disable
|
|
Miscellaneous → Allow META REFRESH
|
Enable
|
|
Miscellaneous → Allow scripting of Internet Explorer Web browser control
|
Disable
|
|
Miscellaneous → Allow script-initiated windows without size or position constraints
|
Disable
|
|
Miscellaneous → Allow Web pages to use restricted protocols for active content
|
Disable
|
|
Miscellaneous → Allow web sites to open windows without address or status bars
|
Disable
|
|
Miscellaneous → Display mixed content
|
Prompt
|
|
Miscellaneous → Don't prompt for client certificate selection...
|
Disable
|
|
Miscellaneous → Drag and drop or copy and paste files
|
Enable
|
|
Miscellaneous → Include Local directory path when uploading files to a server
|
Disable (!)
|
|
Miscellaneous → Installation of desktop items
|
Disable (!)
|
|
Miscellaneous → Launching applications and unsafe files
|
Disable (!)
|
|
Miscellaneous → Launching programs and files in an IFRAME
|
Disable
|
|
Miscellaneous → Navigate sub-frames across different domains
|
Prompt
|
|
Miscellaneous → Open files based on content, not file extension
|
Enable
|
|
Miscellaneous → Software channel permissions
|
High safety
|
|
Miscellaneous → Submit nonencrypted form data
|
Enable
|
|
Miscellaneous → Use Phishing Filter
|
Enable (!)
|
|
Miscellaneous → Use Pop-up Blocker
|
Enable (!)
|
|
Miscellaneous → Userdata persistence
|
Enable
|
|
Miscellaneous → Web sites in less privileged web content zone can navigate...
|
Enable
|
|
Scripting → Active Scripting
|
Prompt
|
|
Scripting → Allow Programmatic clipboard access
|
Disable (!)
|
|
Scripting → Allow status bar updates via script
|
Disable
|
|
Scripting → Allow web sites to prompt for information using scripted windows
|
Disable
|
|
Scripting → Scripting of Java applets
|
Enable
|
|
User Authentication → Logon
|
Anonymous logon
|
Click OK when you're done changing security settings. Next, click the Trusted sites (green checkmark) icon, click the Sites button, and turn off the Require server verification (https:) for all sites in this zone option. Type the following URLs into the Add this Web site to the zone field, clicking the Add button after each one:
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://*.windowsupdate.microsoft.com
These four URLs permit the Windows Update feature to
continue working unencumbered by your new security settings. The
asterisks are wildcards allowing these rules to apply to variants, such
as http://download.windowsupdate.com. Feel free to add the domains for other web sites you trust, and then click OK when you're done.
Now
that you see what's required to make Internet Explorer safer (albeit
not bulletproof), you might be tempted to dump IE entirely in favor of a
design that doesn't put your PC at risk. Mozilla Firefox, available for
free from http://www.mozilla.com/,
is an open source, standards-compliant web browser that is faster, much
safer, and more feature-rich than Internet Explorer. It does a better
job of blocking pop ups, has a more customizable interface, and can be
enhanced with powerful extensions . If you want to disable IE altogether, see the "Turn Off Internet Explorer" sidebar, next.
Thanks
to a court settlement several years ago, you can completely block
Internet Explorer on your PC, a particularly effective tactic if you're
setting up a PC for someone else and you don't want to have to come back
six months later to cleanse it of spyware. In Control Panel, open Default Programs, and then click the Set program access and computer defaults link. In the window that appears, choose the Custom option, and then click the little double-arrow icon on the right side to expand the category. In the Choose a default Web browser section, make sure your favorite web browser is selected, and then turn off the Enable access to this program checkbox next to Internet Explorer. When you're done, click OK; the change will take effect immediately. The IE icons will disappear, and you'll get an error if you try to launch iexplore.exe. |
2. Change Internet Shortcut Icons
If you're a fan of desktop icons, you've probably grown accustomed to right-clicking a new shortcut, selecting Properties, and then clicking the Change Icon button to choose a new icon for it. Pity this doesn't work on Vista's Internet Shortcuts.
Not
surprisingly, Microsoft likes its IE logo, and it doesn't want you to
change it. Good thing we don't care what Microsoft wants.
It
turns out that this problem is the result of an intentional change
introduced in Internet Explorer 7; while Microsoft insists that "this
behavior is by design," it offers a hotfix update at http://support.microsoft.com/kb/935779 that does indeed fix the problem.
At
the time of this writing, you can't download this hotfix directly from
the Microsoft web site. Rather, Microsoft will only let you have it if
you pick up a telephone and call (the U.S. number is 1-800-936-4900) to
request that hotfix 935779 be sent to you via email. If you can't get it that way, you can also download it from http://annoyances.org/935779 until it has been made more easily available via the Windows Update service. |
|
If Microsoft's hotfix doesn't solve the problem, try the following solution:
Open the Registry Editor .
Expand the branches to HKEY_CLASSES_ROOT\InternetShortcut\ShellEx.
Look for a subkey of ShellEx called IconHandler; if it's not there, right-click the ShellEx key, select New → Key, and type IconHandler for the name of the new key.
If the key already exists, it might be locked , so you'll need to unlock it before you make any changes.
Right-click the IconHandler key and select Permissions. On the Permissions for IconHandler window, click Advanced, and then choose the Owner tab. From the Change owner to list, select your username (or select Administrators) and turn on the Replace owner on subcontainers and objects option. Click OK and then OK again to close both windows.
Right-click the IconHandler key and select Permissions again. From the Group or user names list, select your username (or, again, select Administrators), place a checkmark in the Allow column next to Full Control, and then click OK.
Next, highlight the IconHandler key and double-click the (Default) value in the right pane.
Type {FBF23B40-E3F0-101B-8488-00AA003E56F8} into the Value data field, and click OK.
Click OK and then close the Registry Editor. If the change doesn't take effect immediately, restart Windows.
There's a quirk that prevents some Internet Shortcut icons from working. The INI file format upon which .URL
files are based has a limit on the length of any line of text in the
file. If a URL is too long, it wraps around to the next line and
disrupts the icon (and of course, doesn't work as intended). To fix an
Internet Shortcut broken in this way, open it in Notepad and shorten the
URL. |
|
Now, if you actually turned to this page to change the default icon used for all Internet Shortcuts, then follow these steps:
Open the Registry Editor.
Expand the branches to HKEY_CLASSES_ROOT\http\DefaultIcon.
This key is locked by default, so before you can make any changes, you'll need to unlock it. Right-click the DefaultIcon key and select Permissions.
On the Permissions for DefaultIcon window, click Advanced, and then choose the Owner tab. From the Change owner to list, select your username (or select Administrators) and turn on the Replace owner on subcontainers and objects option. Click OK and then OK again to close both windows.
Right-click the DefaultIcon key again and select Permissions. From the Group or user names list, select your username (or, again, select Administrators), place a checkmark in the Allow column next to Full Control, and then click OK.
Now that you've unlocked the key, highlight it and then double-click the (Default) value in the right pane.
Type (or paste) the full path and filename of the icon you want to use, followed by a comma and a zero:
c:\icons\maeby.ico,0
Click OK and then close the Registry Editor. If the change doesn't take effect immediately, restart Windows.
