What Are Java, JavaScript, VBScript, and ActiveX?
What Are Java, JavaScript, VBScript, and ActiveX?
Managing Which Files Internet Explorer Downloads
Internet Explorer can retrieve a wide variety of files and objects, ranging from innocuous plain text files and images to potentially destructive executable programs. Some Web pages increase the amount of interactivity they can offer by downloading small programs to run on your computer. For example, rather than transmitting the individual frames of an animation over the Internet, a Web server may send an animation-constructing program that runs on your computer. A financial Web site may download a program that displays a scrolling stock ticker. Typically, this process is invisible to the user–the interaction or the animation just happens, without calling your attention to how it happens.
While these programs are useful, they also create security issues. If Web sites can put useful programs on your computer and run them without informing you, precautions must be taken to make sure that they can't also put harmful programs on your computer. Internet Explorer takes certain precautions automatically, and allows you the option to choose additional precautions.
Internet Explorer's downloaded object security allows you to decide, based on both the Web site where an object came from and the type of object, whether to retrieve an object, and once it's retrieved, what to do with it. Internet Explorer defines three levels of object access (low, medium, and high) to give varying amounts of access to your computer. You can also define custom access permissions, if the three standard settings don't meet your needs.
What Are Java, JavaScript, VBScript, and ActiveX?
Java is a language for sending small applications (called applets) over the Web, so that they can be executed by your computer. JavaScript is a language for extending HTML to embed small programs called scripts in Web pages. VBScript, a language that resembles Microsoft's Visual Basic, can be used to add scripts to pages that are displayed by Internet Explorer. Anything that VBScript can do, JavaScript (which Microsoft calls JScript) can do, too and vice versa.
ActiveX controls, like Java, are a way to embed executable programs into a Web page. Unlike Java and JavaScript, but like VBScript, ActiveX is a Microsoft system that is not used by Navigator or most other browsers. When Internet Explorer encounters a Web page that uses ActiveX controls, it checks to see whether that particular control is already installed and if it is not, IE installs the control on your machine.
caution ActiveX controls are considerably more dangerous than JavaScript or VBScript scripts or Java applets. Java applets and JavaScript scripts are run in a "sandbox" inside your Web browser, which limits the accidental or deliberate damage they can do; and VBScript scripts are run by an interpreter, which should limit the types of damage they can do. However, ActiveX controls are programs with full access to your computer's resources.
What Are Internet Explorer\'s Zones?
Internet Explorer divides the world into four zones:
* Internet Includes all sites that are not in one of the other three zones. Objects from this zone generally are given the medium level of access to your computer.
* Local Intranet Contains computers on your local network. They\'re usually considered fairly trustworthy, and objects are given a medium level of access to your computer.
* Trusted Sites Includes the sites that you or Microsoft have listed as trustworthy. Objects from this zone generally are given the high level of access to your computer.
* Restricted Sites Includes the sites that you have listed as untrustworthy. Objects from this zone are given the low level of access to your computer. Don\'t change the access level of this zone to grant higher access.
Downloaded ActiveX controls and other executable objects can and should be signed by their authors using a certificate scheme similar to that used for validating remote servers.
For each of the four zones into which a Web page can fall, you can set the security to high, medium, medium-low, or low. For each zone, you can set exactly which remote operations you're willing to perform. To prevent downloading and running software that might infect your system with a virus, see the section "Preventing Infection by Viruses" earlier in this chapter.
Controlling Your Download Security
The rules governing scripts and applets are set zone by zone on the Security tab of the Internet Options dialog box. To examine or change these settings:
- Open the Internet Options dialog box by selecting Tools | Internet Options from the Internet Explorer menu bar.
- Click the Security tab of the Internet Options dialog box
\Security tab of the Internet Options dialog box
- Select the security zone you want to examine or change. The rest of the information on the Security tab changes to show the settings for that zone.
- If you want to change the security setting of a zone, move the slider on the Security tab of the Internet Options dialog box. (The slider doesn't appear if the zone has been given custom settings. To reset such a zone to one of the standard settings, click the Default Level button. When the slider reappears, you can move it to the desired setting.)
- If you want to change the security settings of the selected zone, scroll through the Security Settings dialog box until you see the item you want to change. Change an item by selecting or deselecting its check box or by selecting a different radio button than the current selection.
- Click OK to close each open dialog box. Click Yes in the confirmation box that asks if you want to change the security settings.
Displaying and Changing Settings for Zones
To add or delete a Web site from the Local Intranet, Trusted Sites, or Restricted Sites Zones, click the zone on the Security tab of the Internet Options dialog box. Click the Sites button. (There's no button for the Internet Zone, since it contains all the Web sites that are not contained in the other three zones.) You see a dialog box like the one shown here: [image]
If you want to include only sites that have secure servers, leave the Require Server Verification (https:) For All Sites In This Zone check box selected. If you want to be able to add any Web site to the list of trusted sites for this zone, deselect the check box. To add a site, type its URP (including http:// or https://) in the top box and click Add. To remove a site, click in the Web Sites box and click Remove.
Controlling Which Web Sites Are in the Local Intranet Zone
The Local Intranet Zone normally contains sites on your own local area network and is set up that way by your network administrator when he or she sets up the network. When you click Add Sites on the Security tab, Windows displays the Local Intranet Zone dialog box, with these three check boxes:
* Include All Local (Intranet) Sites Not Listed In Other Zones Select this check box to include all other sites on the same local area network in the Local Intranet Zone. This check box is usually checked.
* Include All Sites That Bypass The Proxy Server Many organizations have a proxy server that mediates access to sites outside the organization. Select this check box to include sites outside your organization to which your organization lets you connect directly in the Local Intranet zone. You can see a list of the sites that bypass the proxy server by displaying the Internet Properties or Internet Options dialog box, clicking the Connections tab, and clicking the Advanced button.
* Include All Network Paths (UNCs) Select this check box to include all the sites with UNC addresses (Universal Naming Convention addresses), which apply only to computers on your LAN.
You can also click the Advanced button to add sites individually, as for Trusted and Restricted sites. See Chapter 30 for more information on how networks connect to the Internet.
Controlling Which Web Sites Are in the Trusted and Restricted Sites Zones
The Trusted and Restricted Sites zones start with no Web sites listed; you must specify the Web sites to include in these zones. To specify sites, select the zone to which you want to add sites and click Sites on the Security tab of the Internet Options dialog box. You see the Trusted Sites or the Restricted Sites dialog box, the first of which is shown in Figure 31-2. To add a new site, type its full address, starting with http:// or https://, into the Add This Web Site To The Zone box and click Add. The Web site appears in the Web Sites list. To remove a site, select it in the Web Sites list and click Remove. You can require a verified secure connection to all sites in this zone by clicking the Require Server Verification (https:) For All Sites In This Zone check box at the bottom of the dialog box; when selected, this setting prevents you from adding any sites that don't support HTTPS, which is described in the section "Securing Your Web Communication with Encryption and Certificates" later in this chapter. [figure] Figure 31-2: Adding sites to the Trusted Sites zone
Managing Java and JavaScript
The security settings that affect how Internet Explorer deals with Java and JavaScript programs are in the Microsoft VM and Scripting sections of the Security Settings dialog box. Follow these steps:
- On the Security tab of the Internet Options dialog box, click the zone for which you want to change or see the settings.
- Click the Custom Level button to display the Security Settings dialog box, shown here:
[image]
- You may change what these applets and scripts are allowed to do on your computer, or even disable Java or JavaScript entirely, by choosing Disable (Internet Explorer does not run this type of program downloaded from this zone), Enable (IE does run this type of program downloaded from this zone), or Prompt (ask before running the program).
Managing ActiveX Controls
We have never been big fans of ActiveX controls. They allow Web sites to have too much power over your system and are hard to monitor. If you should happen to download and install a rogue ActiveX control by mistake, it could (on its own) download and install lots more rogue ActiveX controls–which would then be permanent parts of your software environment, even when you are offline. None of this would appear the least bit suspicious to any virus-detecting software you might own, because ActiveX controls aren't viruses: They have the same status as applications that you install yourself.
Disabling ActiveX controls is one option, as described in the previous section. However, if you frequent Microsoft Web sites like MSN or MSNBC, you will be exposed to numerous temptations to turn them back on. (We finally gave in to the excellent portfolio-tracking services at MSN Moneycentral.) We suggest the following compromise: Disable ActiveX controls everywhere but in the Trusted Sites security zone. (Do this from the Security Settings dialog box, following the steps in the previous section.) When you find a Microsoft Web site that offers some wonderful service involving ActiveX controls, move that site into the Trusted Sites security zone.
ActiveX controls are stored in the folder C:\Windows\Downloaded Program Files (if Windows is installed in C:\Windows). If you use Internet Explorer, you should check this file periodically to see what applications Internet Explorer has downloaded. Dispose of an ActiveX control by right-clicking its icon and selecting Remove from the shortcut menu.