The two "Allow active content" security settings are stored in the registry. Lockdown is ON if the setting is NOT checked.
Registry key/value Type Lockdown ON Lockdown OFF
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ FeatureControl\ FEATURE_LOCALMACHINE_LOCKDOWN\ iexplore.exe DWORD 1 0
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ FeatureControl\ FEATURE_LOCALMACHINE_LOCKDOWN\ Settings\ LOCALMACHINE_CD_UNLOCK DWORD 0 1
Windows uses different "zones" to describe web content, as seen in Tools+Internet Options Security tab, ie "Internet", "Local Intranet", "Trusted sites" and "Restricted". The local "My Computer" zone icon is normally hidden (see below to enable it).
There are lots of permission values associated with each zone, ie all the options shown if you click on the "Custom level" button.
Microsoft: URL Action Flags
Microsoft: Description of Internet Explorer security zones registry entries
If Local Machine Lockdown is ON then the "My Computer" permissions are taken from this registry location:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Lockdown_Zones\0
If Local Machine Lockdown is OFF then the "My Computer" permissions are taken from this registry location:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones\0
The "Allow active content from CDs" setting also switches between these registry locations for web pages on CD.
When the "My Computer" zone icon is enabled, setting custom levels only changes the permissions that apply when Local Machine Lockdown is OFF (ie in ...\Zones\0). You can change the settings for when Local Machine Lockdown is ON, but you can only do this using the registry editor.
If Lockdown is ON but you change the zone settings (in ...\Lockdown_Zones\0), then an Information Bar warning is shown, but the active content is displayed correctly.
Showing the "My Computer" security zone
If active content is enabled on My Computer (ie Local Machine Lockdown is OFF) then you might want to adjust the permissions, ie actions that can be taken safely. To make adjustments, you will first have to enable the "My Computer" zone icon in the Internet Explorer Tools+Internet Options Security tab.
Microsoft: How to Enable the My Computer Security Zone in Internet Options
There are two ways to make the "My Computer" zone icon visible:
by clicking on this link - EnableMyComputerIcon.reg
or by changing this registry location from hexadecimal 21 to hexadecimal 47:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones\0\Flags
Screenshots:
When enabled, the 'My Computer' icon appears in Internet Options - Security tab
File download security warning
Registry editor change confirm request
Registry editor change done
Thanks to Marc Castles and Jetski.
New web pages viewed locally - the "Mark of the Web" solution
Microsoft documentation suggests this as a solution for authors - you must change every single one of your web pages. The idea is that you give each web page a "Mark of the Web". Then Internet Explorer treats the page as if it were being viewed in the Internet zone.
In an experiment with a few trial web pages, I found that this technique was successful if I remembered that every single page has to have "the Mark". Links from Mark-ed pages to unMark-ed pages silently do not work (however hard you click...). Some sort of indication of the problem would be nice... and an option to go there as well.
A similar problem exists with links to other types of file. A test HTML file had a link to a PowerPoint presentation. The link did not work if the HTML file had the Mark. The link still did not work if I set the "Hyperlink Base" for the presentation to match the HTML Mark. Links to other file types is very common on CD so many CDs will fail to run correctly if they are given the Mark.
(To do: check what happens with PDFs that have been given a matching Base URL.)
Many types of file do not have the ability to set a Base URL, so they will be unshowable.
This technique did make our FindinSite-CD Java applet work without any problems. However - as above - if any result page did not have a "Mark of the Web" then FindinSite-CD could not show it.
To give a web page a "Mark of the Web" add in "saved from url" comment text at the start of the file, as described by Microsoft's Mark of the Web documentation. There are two possible incantations:
The number in brackets is the decimal length of the string that follows it. The line must end in CR LF.
Microsoft: are you really expecting all the world to add "the Mark" to their pages so that they can be viewed offline?
Another problem:
My guess is that a lot of people - like me - write ordinary static web pages locally and test them locally; however testing locally is not going to be possible.
What do web editor programs do - do they add in "the Mark"?
Microsoft's "IEBLog" on the Mark of the Web.
Another possible workaround: HTAs (HTML Applications)
Another suggestion is to use an HTA (HTML Application) wrapper round your local content. (Microsoft documentation of HTAs). An HTML Application works exactly like Internet Explorer except that all the normal menu and toolbar options are missing - which makes ordinary navigation difficult.
HTML applications are supported by Windows Internet Explorer and Windows Opera but not by Windows Navigator/Mozilla. (Not tested on other platforms yet.)
The idea is that you provide one additional file, eg called index.hta that contains the following:
Set the green text to an application title and your start web page.
The final job is get Windows Internet Explorer users to view the index.hta, eg by providing a shortcut to it, or setting AutoRun to start it. The shortcut or AutoRun may not work if another browser is the default browser.
Further information I have been told:
You can use frames in the HTA instead of IFRAME if your application already uses frames. Depending on the web application, it may be necessary to add APPLICATION="yes" to all/some FRAME tags.
If an HTA opens another window then this windows does not inherit the "application=yes" trusted status.
9 March 2006: Problems running Java Applets in an HTA container:
If the Microsoft VM is installed, then this is used when HTAs are run by MSHTA.EXE (even if the Sun VM is installed and is being used by IE). This was reported on 26-APR-2004 to Sun (Bug 5037845).
Using Sun JVM 1.5.0_06, the MSHTA.EXE process keeps running after the HTA window has closed, assuming that a Java applet has been run within the HTA. MSHTA.EXE consumes all available cycles (an infinite loop?), ie the process runs at CPU 99% in the Windows Task Manager Process tab. Reported to Sun as a bug, 9 March 2006.
There is a work around for this problem (thanks to John, see below - 10 Apr 2006). The idea is to use a JavaScript handler for the "onbeforeunload" event to remove the Java applet from the page when the page unloads. This partial example removes the "fisCD" applet from its container "div1" when the page is unloaded:
Another possible workaround: Use ShellRun
Another possible workaround for CDs and DVDs is to use the retail version of our ShellRun Windows software. ShellRun is an AutoRun tool for CDs and DVDs, ie it runs when a CD is inserted. It displays a message or menu while starting a browser etc to show your CD's first page. ShellRun has an option to enable Windows XP SP2+ Internet Explorer Active Content. If active content has to be enabled, ShellRun continues to run in the background until the CD is ejected, the system is shut down or the user logs off; at this point ShellRun restores the setting(s) to their original value(s).
Another possible workaround: Use Dynamic-CD
Another possible workaround is to use our Dynamic-CD Windows software. This is an internet web server that can be put on CD or run anywhere locally.
If used on a CD or DVD, Dynamic-CD AutoRuns when inserted into a Windows computer. Dynamic-CD starts the default browser to display a start page at eg http://127.0.0.1:8080/default.asp. Dynamic-CD itself serves the pages, getting the data from the CD. The 127.0.0.1. address is usually deemed by Internet Explorer to be Intranet Zone, and will therefore allow most content to run.
Dynamic-CD only runs in Windows. However Local Machine Lockdown is a problem only for Windows Internet Explorer, so users of other platforms can view the content normally.
Another possible workaround: Use other browsers
If you are just viewing or developing pages yourself locally and do not expect others to view them locally, then a simple solution is to use another browser. It is sensible anyway to check that your pages are viewable in other browsers.
A variant on this approach is to view your pages locally through a local web server, such as IIS, Apache or Dynamic-CD.
Comments:
(We received many earlier comments by email. However the comment form for posting online was not provided so we cannot list them.)
Manuel, Italy, Sun, 12 Jun 2005 09:12:33 (GMT)
Great advice on this issue! I've been knocking my head on the PC for days, sysadmin had no idea on it. Thank you very much for these infos, hope MS will fix it up soon.
Regards, Manuel
John E Colman, Sun, 26 Jun 2005 22:34:17 (GMT)
Some great tips here I hadn't found elsewhere. I hope that others also stumble onto your site.
Graham, Sun, 03 Jul 2005 09:36:21 (GMT)
I'm glad I found your site, some good tips available. I think microsoft will have to retract this security issue sooner or later, as most marketing catalogues will eventually be produced on CD. We need to lobby them relentlessly.
arul, Mon, 04 Jul 2005 16:55:43 (GMT)
I've been unable to run JavaScript on my IE6 (winXP). Now I have a clearer picture. Thanks a lot for this page. Keep up the good work!
Martin Modin, Thu, 14 Jul 2005 21:19:37 (GMT)
This is great information. I hope it's OK that I blogged about this "http://tinyurl.com/7oboq" if not let me know and I'll remove it.
Peter Zelei, Mon, 25 Jul 2005 13:28:42 (GMT)
you saved my life... thank you very much
amit, Fri, 29 Jul 2005 14:17:36 (GMT)
thanx gratefully
Ed, Tue, 02 Aug 2005 14:35:15 (GMT)
Another workaround - Use Desktop Explorer to map a drive letter to a folder (like My Web) on the C: Drive and use the path to that drive to open the files. The only trick is the path must be in the format: \\PCIdentity\C$\PATH. When files are opened with the new drive letter, they are treated as if they are not on the local drive.
For my browser home page, I have a web page with lots of pull-down menus using scripts that automatically go to the selection when you release the mouse button. Those simple scripts were "flagged" as suspect and I was not willing to right-mouse-click and over-ride every time I launched a browser window. I first tried placing the file on a company file server that was mapped to another drive letter and it didn't come up with any alerts. So the next step was to assign a drive letter to the folder where my files are and that worked.
big boy, Wed, 10 Aug 2005 10:02:47 (GMT)
I was at a loss to figure out what was going, why didn't microsoft have the decency to imform me about this problem, I have spent money on stuff I had been reading for months then suddenly I began to get this content message, now I can't continue this net course that cost me good money until microsoft fixes this problem, I tried going through the steps but still I can't seem to figure it out, guess I'll just have to keep trying or wait for MS to get their shite together !
davidb, Wed, 10 Aug 2005 16:13:24 (GMT)
As a technical writer, this was an incredibly frustrating set of issues to learn about. I now have a process whereby I have to manually add the 'mark of the web' to every HTML page I create for HTML Help. And my company had to change our products' installation procedures by adding an appropriate registry entry so that HTML Help can be read from CD or any mapped drive other than C: -
[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ HTMLHelp\1.x\ItssRestrictions] "MaxAllowedZone"=dword:00000001
Microsoft KB 896054: You cannot open remote content by using the InfoTech protocol
Peter Zaremba, Sat, 03 Sep 2005 19:50:55 (GMT)
Thanks for creating this page. I was going crazy trying to figure out a work around for active content run locally. After reading your page I have a couple of ideas. Thanks again.
Bill Claxton, Tue, 06 Sep 2005 08:54:08 (GMT)
Ed, thank you so much! I've tried the HTA route and don't much like it - for one thing, the application environment doesn't look like a standard browser window.
The best approach is your tip, which not only works, it requires changing only the startup - no web content needs to change at all. I customized my startup script to detect XP and handle other potential problems. Following is the result.
Normally I run an HTML page 'index_cd.htm' when the CD starts. Now I launch this batch script in my 'autorun.inf' (using 'start /min share_cd.bat'), and it works marvellously. @echo off
:detection
ver | find /i "Windows XP" > nul
if not errorlevel 1 goto share_drive
start index_cd.htm
goto end
:share_drive
if "%computername%" == "" goto err1
net share cd_rom /d
for %%d in (c d e f g h i j k l m n o p q r s t u w x y z) do if exist %%d:\share_cd.bat net share cd_rom=%%d:\ /users:1 /r:"This CD-ROM is temporarily shared."
if errorlevel 3 goto err2
start \\%computername%\cd_rom\index_cd.htm
goto end
:err1
echo Error - unable to locate 'computername' environment variable.
goto end
:err2
echo Error - unable to share CD as a network drive. This action requires Win2000 or WinXP.
goto end
:end
echo.
echo Program completed successfully.
Addendum: While 'start' can be used in the batch file, it fails in the 'autorun.inf' on XP and Win2000. All along I've been using 'shellexecute', but I wanted the batch script to run in minimized mode. Fortunately I found a new shareware 'shellexecute' that supports running batch files in minimized mode: ShellExecute
The syntax for the autorun file using this utility is: "open=shellexecute /f:share_cd.bat /r:min".
ShellExecute launches the batch file properly in XP, and using the 'minimize' option you can eliminate the annoying 'DOS box flash'.
[Editor's note: phdcc's retail ShellRun software can also launch a batch file in a minimised DOS box]
elviejo, Sat, 24 Sep 2005 18:30:22 (GMT)
Also I had small javascript and I want to test it. So every time I opened explorer to test it will opene the "Informative Bar" to tell me that this was dynamic content. So I had to tell it that I really wanted to open it.
But the most annoying, yes there is more, is that when ever I changed the local webpage to debug it, Explorer closed by itself, as simple as that you change a local webpage, explorer closes.
This for a hand made webdeveloper is totally unacceptable, arggh!
Christopher Hill, Thu, 29 Sep 2005 12:55:23 (GMT)
Re the comments from Ed and Bill Claxton about sharing the CD drive and connecting to it to fix the problem. If you do this you are opening up a whole can of worms because it means that anyone on your network can view the contents of your CD drive. So if you put a CD with confidential information on anyone can see what it is on it! Additionally, if you're not running as Administrator or Power Users on your workstation (which many corporate and educational users won't be) you won't be able to share the drive anyway, so it won't work.
In short - it's a bad idea! Don't do it!
brian, Sat, 01 Oct 2005 18:28:55 (GMT)
wow all this info, for the most of us including me we dont understand half of it,if any of it, i am not thick i use html and java script for making web pages, but i do know that the blocked content popup box is a right pain microsoft should give us a facilty to turn it off.
come on microsoft you are dealing with normal people here we aren't all computer engineers you know
Stacey, Wed, 05 Oct 2005 12:14:21 (GMT)
This page was so helpful! I couldn't figure out why my users were getting the security message but I have a clear understanding now. Thanks.
Paul Baker, Tue, 18 Oct 2005 20:27:09 (GMT)
Although the mark of the web sorts my problem for htm(l) pages, if I save the page as a web archive (mht) the mark is not respected in the resulting mht file. This is despite Microsoft's assurances to the contrary. What seems to happen is that the html is "re-formatted" when the save occurs and the MOTW comment is no longer on its own line but instead shares a line with, say, a tag. Whether this is the problem or not, the MOTW is certainly ineffective in the mht file.
Mario Schmalzl, Fri, 21 Oct 2005 17:02:44 (GMT)
Great approach, but still it doesn't work, if the zone cannot be defined clearly.
For so called "mixed zones" Sites (as in MS-CRM 3.0) you cannot assign a site and/or set security permissions.
Anyone an idea on that?
stephen harris, Tue, 25 Oct 2005 16:32:11 (GMT)
Thank you, very useful and helpful suggestions, I have designed a few medical calculation web pages for distribution to clinicians who cannot access the Hospital Intranet. Most are using Win 2k, but a few are using XP. I will need to experiment to see which is the best option.
Iris, Thu, 03 Nov 2005 23:23:49 (GMT)
This is great info. I have a puzzling scenario though. None - I mean absolutely none - of may applications can open help at all. When I try to open chm files directly, it cannot open mk:@MSITStore:C:\pathto\filename. I have regsitered the hlpctrl.ocx, as advise somewhere else. I have tried to enale the ms-its protocol, no luck. All the help files are on my local machine and the apps run locally, so I shouldn't have this issue. Right?
Any insight would be greatly appreciated!!
Nick, Fri, 18 Nov 2005 00:26:20 (GMT)
Thankyou very much - The HTA work around worked for my CD
Alex Garcia, Wed, 30 Nov 2005 17:32:10 (GMT)
This is great info. Thank you...
Tony, Fri, 02 Dec 2005 05:37:30 (GMT)
The Dynamic-CD program works great. Other than disabling security -- which is not something I think prospective customers would be interested in doing -- nothing else seemed to work when linking to PDF documents. Thank you for this fantastic recourse!
Cheong, ganpuzzle, Thu, 12 Jan 2006 01:27:39 (GMT)
Excellent article. We should all revolt against MS. I am seriously affected because I sell java applet puzzles. Guess what, lately I have a few requests for refund thinking that it is my software that is faulty. Microsoft is trying to kill Java applet, that is for sure.
Do I have a legal case against Microsoft for preventing me from making a living?
Michael Hall, Sat, 21 Jan 2006 00:34:11 (GMT)
I have built a multimedia app in .html. I have put the generic MOTW on every page. The app works in IE with XP SP 2(in Internet Zone) but, the apps performance is so slow it is almost not usable. I have found however, that if I establish a connection to the internet (while running the app locally) then the apps performance is greatly improved. Can you explain why performance is improved by connecting to the internet and also if there are any additional workarounds I can try?
John Page, Fri, 3 Feb 2006 11:20:43 -0700
Good stuff. I am using the Mark of the Web solution, but a couple of comments:
It does not appear to verify the url in the tag. I have found you can put any garbage (non-existent) url there and it still works so long as the byte count is OK.
In that case, what is to stop a malicious coder putting any mark in their code?
Hans, Sun, 12 Feb 2006 11:37:10 (GMT)
Thanx for sharing knowledge regarding sp2 security. It was definately worth the time reading this page.
Mike, Sun, 12 Mar 2006 23:10:20 (GMT)
This is outstanding information. Thanks so much for sharing!
Chris, Fri, 07 Apr 2006 08:10:49 (GMT)
Hello,
Thanks for this article.
But am i the only one seeing another big issue here or am i completely wrong.
I added a MOTW with localhost as source to a web page and executed it locally. Sure enough it runs in the Intranet Zone context?!
So, if malicious code manages to run locally, why don't they just use that MOTW to get around the new Locked-Down Local Machine Zone restrictions from MS?
Scenario:
Malicious webpage manages to execute a file locally.
File has MOTW (localhost)
File runs in Local Intranet zone and can do pretty much whatever it wants?
Install add-ons, system-wide access if user is local admin etc etc.
[Editor: I think the answer is that Local Machine Lockdown is primarily designed to stop injection attacks, ie a page on a web site that somehow sneakily manages to elevate its zone so that some JavaScript can operate with Local Machine privileges. Internet Explorer should not accept a MOTW at this stage, therefore the attack will fail because the local machine is locked down. As I said earlier, stopping unwanted zone elevation would be a better solution. ]
John, Mon, 10 Apr 2006 01:07:26 (GMT)
I encountered the problem you mention:
"Using Sun JVM 1.5.0_06, the MSHTA.EXE process keeps running after the HTA window has closed, assuming that a Java applet has been run within the HTA."
I found a workaround for my case is to do something like this in the document's onbeforeunload event handler:
document.body.removeChild(document.getElementById("applet"));
Todd, Sat, 29 Apr 2006 18:07:20 -0700
I'm trying to make a local DHTML application that acts as a "shell" for intranet content running in a separate (eventually hidden) frame, and while I'm still stuck, this page has given me lots of food for thought. I've worked around the "Mixed Zone" message, but am still not able to get the onload event to fire when the intranet page loads or updates. There's apparently still something IE doesn't like...
Henry, Wed, 3 May 2006 00:46:51 -0700
Everyone should
(1) Uninstall SP2, and
(2) Start a class-action lawsuit against MS.
I've taken care of step one....
Mike Hutchinson, Sat, 6 May 2006 06:47:18 -0700
Your Article on XP SP2 and making javascripts work locally
Thank you so much. I have been going mad trying all the options in IE6 to make this work. I do a lot of javascript development work. Your article is not only a life saver but presented in simple clear straight forward helpful terms for people to understand with actual examples.
WONDERFUL!
Thank you again for taking the trouble ot clarify this
Brian, Sat, 6 May 2006 11:26:00 -0700
Thanks, your instructions helped tremendously on allowing blocked content from local files.
Ali, Mon, 15 May 2006 23:26:30 -0700
Thank you so much! I've tried the HTA route and I liked it so much! It works for for displaying the 1st HTML page only. When I treid to call another HTA file from the 1st HTML page (to display another HTML page) the security warning window displaying Run|Save|Cancel appeared. Do you have a workaround for this, too?
Answer: You should be able to open another page simply by providing a normal link to the HTML file - the page will then open in the same HTA window. You do not need to wrap all pages in a HTA file.
Thank you very much for your quick reply and assistance. Yes, I did just as you suggested. It works just like I wanted the first time!!
Diana Ost, Tue, 16 May 2006 10:15:16 -0700
Has anyone tried any of these applications with a WebHelp file generated from RoboHelp? Some of the solutions look too difficult for me, but others I might be able to manager. Problem is, the WebHelp file uses frames, with a TOC on the left and content called from the TOC link on the right.
What does everyone suggest as the best solution for this problem?
And, is there any way to register the ActiveX file and give it a certificate to make IE run on our intranet WITHOUT the yellow bar showing up??
Thanks in advance!
Scott, Thu, 08 Jun 2006 01:29:32 (GMT)
Just wanted to thank you for this page. It was very clear and helpful.
Steve, Wed, 21 Jun 2006 19:25:41 (GMT)
Thanks for all the info. Another weaker suggestion for Microsoft would be to at least make the information bar smarter with one-click options to either accept blocked content or see more information. Three clicks starts to make wrist slashing seem like a reasonable alternative...
Makarand Kurkure, Thu, 13 Jul 2006 16:11:45 -0700
The content is very helpful. We had resolved Brio Query insight issue through this.
lisa james, Mon, 31 Jul 2006 23:49:13 -0700
I FOUND YOUR SITE VERY HELPFUL AND TO THE POINT,THANK YOU.
jerry, Fri, 11 Aug 2006 08:05:49 (GMT)
wounderfull information it helped me alot
Steve, Sat, 12 Aug 2006 19:20:30 (GMT)
I wanted to add my thanks for your really excellent information. This is the only proper explanation I've found, after much looking. Microsoft should be truly ashamed for their slapdash "fixes". You describe all aspects of this issue so well.
JJ, Wed, 16 Aug 2006 08:53:03 (GMT)
I've written VBS code to add in a Mark Of The Web to a .mht file that gets created dynamically and saved to the user's TEMP folder. The VBS utility then opens up the .mht file but I'm still getting the Information Bar. However, if I run the .mht file by double-clicking on it I don't get the Information Bar!
So, is there some restriction with the MotW that prevents it from working if the web page is called from a VBS?
Martin, Sun, 20 Aug 2006 17:38:17 (GMT)
Thanks a bunch for setting up this informative website. It saved me a lot of time and aggravation trying to understanding the trouble I went through.
For my personal means I adopted the suggested workaround solution via mapping the local Website \\PCIdentity\C$\PATH to some drive letter -> works like a breeze here.
xicar, Sat, 26 Aug 2006 03:06:21 (GMT)
I m having some troubles when i try to open a zip file directly from a cd/dvd a pop up open telling me that my security settings do not allow this action this happend when i double click on each zip file but if i do it from the tree in the windows explorer i can open it this begin to happend since i update framework.net with the last security patch
can someone tell me how i change this security setting?
thks
mfouchi, Tue, 12 Sep 2006 18:51:34 (GMT)
Thank you, thank you, thank you.
Luckily I came across this site with the solution for Java hanging when closing an HTA process (mshta.exe)
t'ni, Sat, 28 Oct 2006 23:05:10 (GMT)
I bow down to you. This page has all the information I've been looking for for months. Your MOTW solution does seem to work, however I am not editing the 32767 pages I have on my computer.
I always thought the the Local Intranet contained MY computer, glad now you've shown it to me.
Since I already have drives subst'd for E:\Local Trusted Internet Pages\ and E:\Newly Downloaded and NotSo Trusted Internet Pages\ I'll give this mapping bit a try.
Thank you from the bottom of my heart for such an informative article. I am so indebted to you after pulling my hair out for months since being forced to migrate to WinXP Pro SP2.
William Pollard, Sun, 12 Nov 2006 10:45:58 (GMT)
Thank you very much for that info on block content box, it was very useful in allowing my local intranet page to work the way I designed it to.
Bill Wood, Wed, 13 Dec 2006 13:34:52 -0700
Thanks for this page. Its so much clearer than the MS documentation. The only thing I would clarify is what happens when a page marked with MOTW is run in the locked down Local Computer Zone. Contrary to intuition, Local Computer Zone (and the locked down local computer zone which is used by IE) is considered the most privileged of the zones, even when it is locked down (as it is when using IE) to be effectively less privileged. So, MOTW can only switch to a less privileged zone such as Intranet or Internet zones. Using MOTW is also a way to test locally what Internet users would experience if you use the about:blank MOTW.
Another method to mitigate this problem is to implement a simple shell program that hosts an IE active X control. Only IE is subject to lock down, other programs are not (yet)!
Adam Gibson, Fri, 12 Jan 2007 22:14:12 (GMT)
Thanks for the suggestions - fantastic - however - with Vista the above does not work - whats the workaround for this or have I missed something?
Well I am trying to install Class server through our learning gateway at work - the instructions tell me to add "My computer" to the zone area by running the registry change, which I have done, but it still does not appear there so I cannot go any further.
The gateway providers tell me that they have not made this compatible with ie7 (I think its an ie7 problem rather than Vista!) but it must just be a case of adding "My Computer" anyway?
I wondered if there was another security setting that was preventing the registry change from happening although I am told that the change had been successful.
Marko Aho, Thu, 26 Apr 2007 10:32:10 (GMT)
For Vista, the reason for locally stored content not working may be, that the content was saved from email. Vista blocks these automatically, and you will have to enable the (e.g. the index.htm) content through the properties. The same applies to content sent through MS Messenger (even in XP).
Yuriy Shikhanovich, Tue, 15 May 2007 19:34:05 (GMT)
First of thanks for a great resource.
I'd like to respond to a commenter asking about trying to make sure Robohelp works.
What you basically have to do is to add application=yes to any frames and iframes (and just in case framesets, but I don't know if that's required)
Martin, Tue, 19 Jun 2007 04:40:19 (GMT)
This is a great resource but I'm still stuck. I'm trying to launch a pdf in a separate window from web link but I get the activeX message "harm your computer" and business people don't want to go live with this message. I tried calling HTA file from HTML page and I get the "Do you want run..." message and again the business doesn't want to live with this message. Recommendations? Thanks.
Bill Claxton, Fri, 20 Jul 2007 07:56:33 (GMT)
Thought I would update you after rewriting my batch scripts to allow active content. I have described the latest scripts in my blog (http://learningweb.blogspot.com/2007/07/launching-active-content.html), and the scripts are available for download. These not only handle the IE security issue, but also the Flash player security issue. Hope it is helpful, and welcome any feedback.
Incidentally, I think Christopher Hill's remark about network sharing exposing the content of confidential CDs is valid. But none of our CDs are confidential and in my experience this has been less of an issue than simply getting the bloody discs to run without calling tech support.
Perhaps it's an exercise for the sysadmin to cleanup unused network shares
rotimi Iziduh, Tue, 24 Jul 2007 05:38:33 (GMT)
Hi Guys, Im trying to learn AJAX from scratch. The problem is sample ajax scripts do not run on my internet explorer browser and they return the error message "access denied".Is this because im running them without a server?or is there some other reason? here's the link to the sample page. http://www.webreference.com/programming/javascript/jf/column12/index.html thanks
Answer: you do need to run it on a server
Daniel, Wed, 07 Nov 2007 00:40:44 GMT
You can tell the CD-ROM to open index.htm in it's own browser. For example, you can add HtmlViewer (www.cdmenupro.com, by Klaus Schwenk) to the CD-ROM. It's a simple browser that loads the java applet. You just need to change the CD_Conf.ini here:
[INTRO]
ENABLE=1
PLAYER=_CURRENTDIR_\HtmlView.exe
FILE=_CURRENTDIR_\index.htm
If you need to open pdf files from inside FindInSite, Klaus also has pdfStart.
John Dugdale, Wed, 21 Nov 2007 09:10:08 (GMT)
I have a IE sidebar which shows web pages in a browser component. I still had to put the MOTW on all my pages to avoid the security warning. I can no longer use ajax requests which give the aforementioned access problem. Is there no way round this in the case of a DLL ?
chetan sachania, Wed, 20 Feb 2008 11:30:32 GMT
Hi rotimi Iziduh....
yes if you run AJAX directly it will cause problem in IE7.
for ex: c:/test/index.html <--- if you run html page with ajax like this it will cause Access denine ERROR. Solution: http://localhost/test/index.html you have to configure local site in ur IIS. BV, Mon, 09 Jun 2008 13:58:24 GMT Do you have a suggestion for flash? Adobe is following in MS footsteps, you can develop and run local, but when send it out on cd, it will fail. There are ways around similar to MS, but harder. [Editor: I haven't used Flash so I do not know sorry.] ben, Wed, 12 Nov 2008 00:09:54 GMT thank you so, so much for this. you've saved my neck in a dire emergency. this project's over, now i can flee back to the warm comfort of ubuntu. :P Greg Souders, Wed, 06 May 2009 07:13:53 GMT Thank you Chris Cant for producing this page. I was also struggling with this one. For me the issue arises when testing web pages locally before publishing. I think the best solution for this case is to Map a Network Drive as Ed suggests. Thanks Ed for your suggestion. This solution allows testing local web pages without compromising security. Local Machine Lockdown is bypassed if the pages are accessed via the Network Drive but still active while surfing the web. Ed states that you must use the following format \\PCIdentity\C$\PATH. PCIdentity is the computer name of your machine, C$ is a hidden Administrative share for the C: drive and PATH is the directory path to the folder containing you Web Site(s). This will work for XP Pro machines but not for XP Home. XP home does not create hidden Administrative shares. To overcome this, share the folder where your Web Sites(s) reside and Map your Network drive to the shared folder \\PCIdentity\SHAREDFOLDER. This approach will still bring up the information bar stating "Internet settings are now turned off by default...". However you can click on the bar and select "Don't Show Me this Again" to disable the message for good. The registry value that controls this message is "WarnOnIntranet" and is located here [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] The default value is 1 enabling the message, 0 disables the message. Pál Marosi, Mon, 27 Jul 2009 14:02:53 GMT Thanks for creating this outstanding page. Budhiram Barad, Tue, 05 Oct 2010 08:16:04 GMT THANK YOU jsllearner, Sat, 05 Feb 2011 04:09:41 GMT I am wondering if it is possible for this to be happening without any warnings being issued, no popup no yellow bar, nothing. I seem to be having this problem and have tried fixing my local machine/My Computer settings to allow scripting, MOTW (this did NOT work, making we wonder if this is really the problem, or if somehow the warnings are turned off???), resetting jscript.dll, resetting ie8. I dont want to be mucking around my registry until I am sure this is the problem, and especially if I am not sure it will fix it, as all I know is that no local files can run any javascript, even a simple alert. I am running vista business sp3, ie8. here is a sample code
test
could it be any simpler? all i see is the word "text".
Later:
well, I fixed the problem. turns out there was an extra entry in my internet zones registry which needed to be deleted (malware/flash?). go figure. see http://www.windowsbbs.com/windows-xp/96205-windows-services.html for what I did
the full solution involves removing trojan fake alert using malwarebyte's antimalware to remove the rest of it.
Luc, Fri, 10 Jun 2011 11:30:20 GMT
Thank you!
