IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Avoid “Do not save encrypted pages to disk”

Avoid “Do not save encrypted pages to disk”

  • Comments 21

Internet Explorer has an Advanced option named Do not save encrypted pages to disk. By default, this option is unchecked (except for Windows Server systems) and I recommend you leave it that way.

INETCPL showing option

In IE9, this option does exactly what it says it does—resources received from HTTPS URLs are not placed in the Temporary Internet Files Cache and temporary files are not created for these resources. This option is universal for HTTPS responses; their headers (e.g. Pragma, Cache-Control) are not consulted.

While that might sound appealing to some readers, it’s important to realize that this will break any scenario where a file is needed.

There are two key scenarios when a file is required:

  1. File downloads.
  2. When an add-on or other code sets the flag INTERNET_FLAG_NEED_FILE on a request.

If a file download is attempted from HTTPS when this option is set, the secure download will fail:

File download failure

Similarly, some plugins like Flash will set the NEED_FILE flag when issuing a HTTPS request, and those requests will fail in this configuration. For instance, when Pandora attempts to login, their XML request fails:

Pandora Login failure

In IE8 and lower, the behavior of the checkbox was much more complicated, modified by a number of cumulative updates over the years. At a high-level, if a Pragma: no-cache was present on the HTTPS response, then no cache or temporary file would be created. If other no-cache headers were present, then the cache or temporary file might be created based on a very complicated set of logic, involving whether the response was compressed, and depending on the ordering of the no-cache and no-store tokens in the response’s Cache-Control header.

If you do not want HTTPS-delivered content to be stored in your cache, then you are better off setting the Empty temporary internet files folder when browser is closed option instead. Downloads and Flash applications will work properly, and IE will clear the cache completely when the browser is closed. If you're worried about local attacks with full access to your hard drive, enable BitLocker Drive Encryption, which will protect not only your cache files, but also your swap file.

-Eric

Update: In IE10, the Do not save encrypted pages to disk option now behaves differently. Instead of trying to prevent HTTPS resources from being saved to disk, the option will delete cached-from-HTTPS resources from the cache when the browser is closed. This helps ensure that the browser works correctly even when this setting is enabled. The checkbox was slated to be retitled "Clear HTTPS cache when browser is closed" but we unfortunately ran out of time.

  • Hi Eric,

    Does the option “Do not save encrypted pages to disk” prevent persistent cookies from being saved also?

    Thanks

    BM

  • @BM: No.

  • Is there a command line utility to disable the do not save encrypted pages to disk option on IE. I am planning to make it a part of the script.

  • @droidengine: No, there's no command line utility; you can either use Group Policy or set the registry key directly (use Process Monitor to find it if you like)

  • I can't for the life of me Disable "Do not save encrypted pages to disk" via group policy (IE10&11) there's three different places you can Disable the setting in GPManagement but client machines still have the box checked - using server 2012 w/ Win7 clients

  • @EricLaw – Thanks for this informative post. I've come back to it after several years... My Flash applications are breaking in Internet Explorer 11 for some users in the same way they break in Internet Explorer 9 with the "Do not save encrypted pages to disk".  Is there a setting in IE11 that controls behavior related to the  INTERNET_FLAG_NEED_FILE  flag?

Page 2 of 2 (21 items) 12
Leave a Comment
  • Please add 6 and 6 and type the answer here:
  • Post