Last modified: 19 December 2006. Any comments or suggestions - please fill in form below. Chris Cant.
Chris is now available for paid-for consultation, software development or web programming - contact us using the form below.
Web pages with active content running locally
XP SP2, Vista and equivalent affect any web page with "active content" running locally on your computer in Internet Explorer. Many people provide web page information on CD or DVD, provide product documentation as web pages, or work with web pages locally before putting them online. Even very innocuous JavaScript is deemed to be active content and a user will have to agree to very worrying warning messages to see a page - or change a security setting. Some valid active content may not work even if the user has enabled active content for the current window.
See below for screen shots of SP2 when trying to run a Java applet locally.
In all the following text, SP2 refers to Windows XP with Service Pack 2 or later, Windows Vista and equivalent Windows operating systems.
Web pages on your local computer
Windows XP SP2 and Vista Introduction
Windows XP SP2, Vista and equivalent include improvements to Internet Explorer security that are intended to help most users by stopping local web pages that contain "active content" from accessing your computer maliciously. "Active content" includes JavaScript, Java applets and ActiveX controls.
Users and developers of CDs containing our FindinSite-CD applet - please read our How to run FindinSite-CD in XP SP2 instructions.
Changes for web pages running locally
By default in SP2, Internet Explorer will not let any active content run in web pages that run locally (on the Local Machine, ie My Computer). The user will see a warning message in the new yellow Information Bar - clicking in there will let the user "Allow Blocked Content" - after agreeing to another dire warning.
The likely effect of this is that most users will not let local active content run, even if it is only mundane JavaScript to run a menu system.
The browser is becoming the standard interface for many applications, including those that run locally. Many people provide web page information on CD or provide product documentation as web pages. In addition many people write and test web pages locally.
Although Microsoft have provided two options to enable local content, these new security restrictions make life much harder for people who create or view content that is used locally. Most people will not want to reduce their default security settings for fear of having their computers corrupted.
Information Bar introduction box
The Information Bar is aptly named - it bars you from viewing information locally...
Why are Microsoft doing this?
We understand that the main problem is online web sites that find security holes so as to be able to run code locally. Code that runs locally used to be able to damage your system because it ran with the highest privileges. So - rather than block up the security holes - Microsoft have decided to clamp down on all local web page active content so that the user has to agree to various dire warnings before letting it run.
All local web pages (including that on CD) are currently affected. There are ways to turn off this security feature (as described below). However if turned off to make ordinary local content run, then users are susceptible to the same security holes as before.
We also posted a letter to Microsoft UK on 1 July 2004, but to date have had no reply.
We tried to highlight this issue with Microsoft in the SP2 preview forums - to no avail: the advice was simply to adapt to the new situation, ie the decision had been made and it was not going to change. Perhaps Microsoft thinks that the problems are a price worth paying to make online surfing safe. Or perhaps they have not realised that many people view content locally. One of our big users in the USA produces 800,000 CDs every April - the CDs will not run in the default SP2 settings. We have lost another order because the client could not tell their users to change their security settings.
What do Microsoft suggest?
These seem to be Microsoft's suggestions... but they are not good enough... (see below for full details)
Turn off local machine security
But: We have already had to refund an order because "we don't have control over our end-users machines. We can't simply tell them to change their settings."
Give all pages "the Mark of the Web"
But: You cannot seriously expect all pages to have this added. And links to other file types don't work.
Wrap your application in an HTA file
But: Superficially this isn't too awful a job, but why does the world have to do this? (Existing local content will not be fixed.)
Microsoft information pages:
Local Machine Zone Lockdown
Local Machine Zone Lockdown - Developer Implications
Internet Explorer 6 Resource Kit: XP SP2 Enhancements to Internet Explorer 6 - click on "Local Machine Zone Lockdown"
Internet Explorer Administration Kit: XP SP2 Enhancements to Internet Explorer 6 - click on "Local Machine Zone Lockdown"
Changes to Functionality in XP SP2: Part 5: Enhanced Browsing Security - click on "Internet Explorer Local Machine Zone Lockdown"