Updating Internet Options using a Script

  • Thread starter Thread starter Joe Sodora
  • Start date Start date
J

Joe Sodora

Is it possible to update I/E's Internet Options using a
separate script file? After installing SP2 on an XP box,
I/E does not run local html files containing JavaScript.
You have to manually go into the Internet Option settings
and check two boxes. Is it possible to have a separate
script file that will automatically do this? I would like
to package such a file with software that we sell. Thanks.
 
Joe said:
Is it possible to update I/E's Internet Options using a
separate script file? After installing SP2 on an XP box,
I/E does not run local html files containing JavaScript.
You have to manually go into the Internet Option settings
and check two boxes. Is it possible to have a separate
script file that will automatically do this? I would like
to package such a file with software that we sell. Thanks.
Click to expand...

That would be defeating the added security features in SP2, Joe, and I for
one would not want to use (let alone buy) software which would do so.
Perhaps you can rework the application to be more SP2 Security-compatible?
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

WinXP SP2: What's New for Internet Explorer and Outlook Express
http://www.microsoft.com/windowsxp/sp2/ieoeoverview.mspx

What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx

AumHa Forums
http://forum.aumha.org
 
Robear,

Thank you for responding, but I don't think you understood
my question or the situation.

(1) I don't want to run a script out of I/E that changes
the security settings. I would like to include another
file with the setup to do this. This would be the same as
instructing the user to make the changes themselves. I'm
trying to make it less confusing for them. Our software is
sold to real estate agents who in turn customize html
files and distribute them for free. I don't have contact
with the actual end users.

(2) It's not a matter of making our application more SP2
security compatible. These are local files that contain
JavaScript. There is no way to rewrite them and there's
nothing unsecure about them. Local files whether they are
run from a browser or not should be considered safe. All
local files should be trusted according to the help file
for Internet Explorer. Here is an excerpt directly from
the I/E help file in the section titled "Understanding
Security Zones". "In addition, any files already on your
local computer are assumed to be very safe, so minimal
security settings are assigned to them. You cannot assign
a folder or drive on your computer to a security zone."

The ironic thing is - these same files run just fine from
the internet. It's only when they are on your local PC
that you get the error. (How's that for security?) It's
actually a problem with SP2. The two options "Allow active
content from CD's to run on my computer" and "Allow active
content to run in files on my computer" just need to be
set. This should be the default settings with SP2.

Thanks again.

Joe Sodora
 
...The two options "Allow active
content from CD's to run on my computer" and "Allow active
content to run in files on my computer" just need to be
set. This should be the default settings with SP2.
Click to expand...

I (and MS, obviously) disagree. Consider that one helluva lotta hijackware
is "drive by" installed under just those settings!
 
Than why do they allow these exact same files to be run
from the internet without giving you an error message? Are
files run from the internet safer than local files on your
computer?

Try it yourself. Take simple html file and insert
JavaScript. If you ftp that file to a web site, you will
be able to run it from the web with the default browser
settings. Then try to run that same file from your c:
drive. You will get the security error message.

The fact is once you install any file on your local
computer, you are vulnerable. If you install an exe file,
it can do a lot more damage than an html file with
JavaScript.

But anyway, I'm not looking to argue this point, I looking
for help to get around a problem created by SP2.

Joe
 
Joe said:
Than why do they allow these exact same files to be run
from the internet without giving you an error message? Are
files run from the internet safer than local files on your
computer?

Try it yourself. Take simple html file and insert
JavaScript. If you ftp that file to a web site, you will
be able to run it from the web with the default browser
settings.
Click to expand...

"...with the default browser settings" is the rub: You *would* get an error
message (or prompt) if the Security Zone in which the file is running (e.g.,
Internet Zone) were configured to disallow the file or prompt before running
it. Try it yourself: Disable (or choose Prompt for) all scripting in IE
Tools>Internet Options>Security>Internet>Custom Level and see what happens
then.
 
Yep. Now you're getting it. And that's our beef with SP2.
The default out-of-the-box settings allow internet html
files with JavaScript to run without a warning, but not
the exact same files if they are stored locally on your
PC. Of course, you could change the settings and not allow
internet files with JavaScript to run, but you have to go
out of your way to make this happen. Local files should be
treated the same way.

As I stated earlier, this is Microsoft's philosophy "In
addition, any files already on your local computer are
assumed to be very safe, so minimal security settings are
assigned to them." Their actions, however, don't jive with
this.

Here is a simple html file with JavaScript:

<html>

<head>
<title>Test JavaScript</title>
</head>

<body>

<p>JavaScript Test</p>
<script LANGUAGE="JavaScript">
<!--
document.write("Last updated :");
document.write(document.lastModified);
// -->
</script>

</body>
</html>

Copy this code into Notepad and store it on your PC as an
html file and run it. If you have not set the two options,
you will get a security warning. But run this same file
online -
http://www.onlinerealtyproducts.com/JavaScriptTest.html
and you will not get a warning.

Joe
 
these same files run just fine from the internet

Ramesh has the answer. Do an OE search (Ctrl-Shift-F) with
Alt-r Ramesh
Alt-a Mark of the web

Subject: Re: Problem w/IE6 & XP SP2 & javascript
Date: Mon, 27 Sep 2004 18:38:37 +0530
 
Robert,

Sorry, but I don't know what an OE search is. Where do I
do the Ctrl-Shift-F, Alt-r and Alt-a? Is Ramesh the from
and Mark of the web the subject?

Thanks.

Joe
 
Joe Sodora said:
Robert,

Sorry, but I don't know what an OE search is. Where do I
do the Ctrl-Shift-F, Alt-r and Alt-a? Is Ramesh the from
and Mark of the web the subject?
Click to expand...

Yes. Exactly. Sorry I think I may have been thinking I was
replying to PA Bear who uses Outlook Express (OE).

You're still using the old version of the web interface to newsgroups
where the search is usually useless.

The new version doesn't allow any search expressions as Google Groups
does but it is still remarkably useful even with just those 5 words.

http://www.microsoft.com/windows/ie...19a1&catlist=&dglist=&ptlist=&exp=&sloc=en-US

However, the simplest search given the information from my hint
would have been:

http://www.google.com/search?q=ramesh+"mark+of+the+web"


HTH

Robert
---
 
A thousand thanks Robert. The site that you directed me to
had the answer. This is the best (easiest) solution.
Insert the following line in the html:

<!-- saved from url=(0023)http://www.contoso.com/ -->

The number 23 represents the length of the web site name.
Internet Explorer will bypass the settings.

Joe
 
All -

I've tried without success to implement the Mark of the Web solution to
my problem. I am trying to get pages to load from a CD, but the pages
include Flash. The Flash activeX control sets off the security
warning.

I have tried inserting the following generic code:

<!-- saved from url=(0014)about:internet -->

and have also tried this:

<!-- saved from url=(0023)http://www.rx4pool.com/ -->

These were inserted into the "head" portion of the html files. In both
cases, the system behaves just as it does when these bits of code are
not present.
Can anybody tell me what I'm doing wrong, if it's me?

- Allen
 
Hi,
According to the examples at
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx#EHAA
the "about:internet" MOTW would be <!-- saved from
url=(0013)about:internet --> Apparently you shouldn't count the ":"

I don't know why the other MOTW doesn't work. Maybe removing the final slash
and making it
<!-- saved from url=(0022)http://www.rx4pool.com -->
would work.

I've read that the location of the MOTW comment is important. Try it just
before the </HEAD> tag or between that tag and the <HTML> tag. Or
immediately after the <HTML> tag. I can't find that message. I wish I could.

There are 2 other workarounds.
Rename those pages to from .HTM to .HTA or
Internet Options> Advanced> Security> check "Allow active content to run in
files on My Computer ."
Internet Options> Advanced> Security> check "Allow active content from CDs
to run on My Computer."

Hope this helps,
Don
[MS MVP- IE/OE]
 
Don -

Thanks for the response.

I had tried various combinations, including using no trailing slash in
the real domain name, and using the number (0013) in the generic code.
I've also tried moving the code to various different places within the
document. Perhaps I just never hit on the right combination. I think
this could be documented better. If it matters where you put it, it
might be nice if Microsoft would mention that in their articles about
it.

I've also tried the other solution of changing the filenames to .hta,
but that doesn't seem to work in my situation. What I'm trying to do
is to basically put an entire site onto a CD, so that people can have
access to the content without having to connect to the Internet. Since
I will not have control of the users' systems, solutions that involve
changing any of their settings aren't an option.

When I tried changing the filename to *.hta, the first page showed up
just fine, Flash and all, but when I clicked on a link to any other
page within the site I got a message asking whether I wanted to
download the file, and warning me that it might not be safe to do so.

Again, thanks for your response. I'll try futzing with the numbers and
changing the placement of the code.

- Allen
 
Allen,
A little more research (I'll confess to a limited knowledge of HTML)
indicates that the MOTW should perhaps be between <HEAD> and </HEAD>
http://menumachine.com/docs/instruction_pages/troubleshooting/mark_of_the_web.html

I still remember reading "somewhere" that location/spacing of the MOTW was
critical.
It was something like: No spaces between <HEAD> and MOTW.
Example: <HEAD><!-- saved from url=(0013)about:internet -->

Yet another source said that the MOTW should be the first line on the page,
before <HTML>

Good luck,
Don
[MS MVP- IE/OE]
 
Don -

Thanks for the response.

I had tried various combinations, including using no trailing slash in
the real domain name, and using the number (0013) in the generic code.
I've also tried moving the code to various different places within the
document. Perhaps I just never hit on the right combination. I think
this could be documented better. If it matters where you put it, it
might be nice if Microsoft would mention that in their articles about
it.

I've also tried the other solution of changing the filenames to .hta,
but that doesn't seem to work in my situation. What I'm trying to do
is to basically put an entire site onto a CD, so that people can have
access to the content without having to connect to the Internet.
Since I will not have control of the users' systems, solutions that
involve changing any of their settings aren't an option.

When I tried changing the filename to *.hta, the first page showed up
just fine, Flash and all, but when I clicked on a link to any other
page within the site I got a message asking whether I wanted to
download the file, and warning me that it might not be safe to do so.

Again, thanks for your response. I'll try futzing with the numbers
and changing the placement of the code.

- Allen
Click to expand...

Did you try the actual number of lines? (or one less)

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
 
Again, thanks for responding, Don and Frank.

I have tried various locations including first line in the file, before
the "doctype" declaration, first line after <html>, first line after
<head> (with no intervening spaces).

Frank, you said "Did you try the actual number of lines?" I'm not sure
what you mean. The minimal documentation provided by Microsoft says
that the number refers to the number of characters in the domain, as
listed to the right of the parentheses. They show the generic line two
different ways, on two different pages. Once with a (0013) and once
with (0014), which appears on a page that says you shouldn't count the
colon.

l've pretty much tried it everywhere. But even if I get IE to accept
that the first page belongs in the Internet zone, I fear that any file
that I link to from there will set off alarms, since they, too will be
referred to as local (whether or not the actual code in the pages
includes the MOTW.)
I really do appreciate your efforts in trying to help me.

- Allen
 
Again, thanks for responding, Don and Frank.

I have tried various locations including first line in the file,
before the "doctype" declaration, first line after <html>, first line
after <head> (with no intervening spaces).

Frank, you said "Did you try the actual number of lines?" I'm not
sure what you mean. The minimal documentation provided by Microsoft
says that the number refers to the number of characters in the
domain, as listed to the right of the parentheses. They show the
generic line two different ways, on two different pages. Once with a
(0013) and once with (0014), which appears on a page that says you
shouldn't count the colon.

l've pretty much tried it everywhere. But even if I get IE to accept
that the first page belongs in the Internet zone, I fear that any file
that I link to from there will set off alarms, since they, too will be
referred to as local (whether or not the actual code in the pages
includes the MOTW.)
I really do appreciate your efforts in trying to help me.

- Allen
Click to expand...

The actual number of lines in the file you're trying to open.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
 
Back
Top