IE in XP SP2 (Part 4): Opting-in to IE Security Features

  • Article

Many of the security features I've mentioned in previous entries are opt-in, so if you have a custom application that hosts the web browser control you won't automatically be impacted by them. But what about the many great applications that host the web browser control, such as MyIE2, Avant Browser, or iRider? In those cases the developer may want to turn on some or all of the new security features during install. Advanced users can do this too.

The easiest way to enable the IE security features for an application is to use the "FeatureControl" registry keys described on the XP SP2 RC1 Preview site, with a more complete list on MSDN. As an example, lets say you use MyIE2 and want to opt-in to the Information Bar, block non-user-initiated file downloads, block ActiveX install prompts, and lock down the Local Machine Zone. Use regedit to set the following values:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]"MyIE.exe"=dword:00000001[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL]"MyIE.exe"=dword:00000001[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]"MyIE.exe"=dword:00000001[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]"MyIE.exe"=dword:00000001

You can also add these in HKLM if you want them to affect all users. After adding these registry keys restart MyIE and navigate to a web site that tries to do one of these things... Information Bar!

Similarly, let's say that you work in a company that has a mission critical application built on IE that is broken because of one of these security features. Using the same technique you can selectively disable them for the iexplore.exe or explorer.exe processes until you are able to update the application.

Curiously, in writing this blog I discovered that Avant Browser is also named "iexplore.exe", so by default it will inherit all of the IE security features. So is that a feature or a bug?

Reminder: This is preliminary information and subject to change. This isn't official documentation, just stuff I think people will find interesting.