Customize HIGH Security Template
M. Gallant 02/023/2000
[Note: Administrator privileges are required to run this Java application on NT and Win2000]
Internet Explorer 4 and 5 provide web-browser security by placing
web site URLs into several security zones (Internet, Local intranet,
Trusted sites, Restricted sites) depending on the origin of the downloaded content.
Each of these security zones has a set
of corresponding security settings (HIGH, MEDIUM, MEDIUM-LOW, LOW) which
determine what privileges the web-page content is permitted (e.g.
scripting enabled, Java enabled, downloading enabled etc..).
These group security settings are determined by default template
values contained in win32 registry settings.
While the default HIGH security settings provide some protection, the default settings allow scripting, and Java applets to execute.
With concern over the security of Internet web surfing and vulnerabilities in browser security
implementation and active content, it may be desirable to redefine
the default HIGH security settings to disable all active content.
Note that by default, the only Zone pointing to the HIGH security setting
is the RESTRICTED zone (which contains no sites initially). Therefore, to
make use of these customized HIGH security settings, a security zone (say the Internet zone)
needs to be pointed to the HIGH setting.
The signed Java application available below adjusts the HIGH template default values
to completely disable any active content from running by:
- Disable Active scripting (JavaScript, JScript, VBScript)
- Disable Scripting of Safe ActiveX controls
- Disable Submitting non-encrypted form data
- Disable font download
- Disable drag/drop and copy/paste file
- Disable Java applets
The settings can also be returned to the Default HIGH (Microsoft-supplied) template settings.
To use this utility, download using the customhigh.exe link below and execute from the desktop.
The java application
runs on Win95, WinNT and Win2000 provided that IE4,5 is installed. The
application (customhigh.exe) was generated using "jexegen" from the Microsoft
SDK4 for Java with the following command:
<![CDATA[
jexegen /main:CustomHighTemplate /w /out:customhigh.exe CustomHighTemplate.class
]]>
and the application is subsequently signed using:
<![CDATA[
signcode -cn "Security Development" -n "Customize HIGH Security Template" -t "http://timestamp.verisign.com/scripts/timstamp.dll" customhigh.exe
]]>
The application runs like any win32 desktop application (double-click), but requires the MS JVM (double-click).
References: