Internet Explorer Information Bar

The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does the InternetExplorer Information Bar do?
TheInternetExplorer Information Bar in Windows Server 2003 Service Pack 1 replaces many of thecommon dialog boxes that
prompted users for information in previous versions and provides a prominentarea for displaying information that users may
want to view or act upon.Examples of dialog boxes that have been replaced by Information Bar notifications include blocked
ActiveX installs, downloads,and activecontent.TheInformation Bar will provideinformation similar to the notification area in
Microsoft Outlook 2003, which informs users of blocked content.
Who does this feature apply to?
This featureapplies to thefollowing audiences:
Users who need to understand how the new behavior will affect their Web browsing experience.
System administrators, who need to know how to turn this functionality on or off for theclient computers in their
organization.
Designers of Web sites that rely on add-ons, which will providea different user experience.
Developers of Web-based applications who need to understand how their experiencechanges.For example, this affects
the development of ActiveX controls. ActiveX controls thatare updates to controls thatarecurrently installed on other
computers will only betreated as updates if the GUID of the new control matches thecurrent GUID.
Developers of applications hosting the Web browser control will need to know how to usethe new application
programming interface(API) to takeadvantage of this new functionality.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Information Bar user interface
Detailed description
TheInformation Bar looks and acts in a similar way to the Outlook 2003 blocked content notification area. Itappears below
InternetExplorer toolbars and abovethe Web pagein view when a notification is presentand disappears on the next
navigation.Thetext in theInformation Bar varies, depending on the notification that is provided,and wraps to two lines if the
textexceeds the bounds of the notification area. If a user controls thefocus (that is, which object in the browser can receive
input) by pressing theTAB key, theInformation Bar gets focus after thetoolbar and beforethe Web page.
Either clicking or right-clicking theInformation Bar brings up a menu that relates to the notification that is presented.This
menu always contains a link to Information Bar Help, which provides more detailed information about the notification.
Additional menu items related to the notification appear abovethe Help menu item.
Users can configuretheInformation Bar to play a sound when itappears; the default setting for thesound is On.When the
Information Bar appears, the Windows trust icon appears in place of theError on page notification on thestatus bar.
In certain cases, morethan oneaction can be blocked.For example,a pop-up window may be blocked at thesametimethatan
add-on install is blocked. In thosecases, thetext becomes more genericand the menus mergeto show each action blocked at
thetop level, with each action’s menus in a submenu.
Thereis a custom security zonesetting for theInformation Bar thatenables users to changethesettings of theInformation Bar
by security zone. Users can chooseto be notified with theInformation Bar or to go back to the previous behavior and geta less
prominent notification for fileand code downloads.
Why is this change important?
In Windows Server 2003 Service Pack 1, InternetExplorer may block content that is necessary to completecertain onlinetasks.
TheInformation Bar provides a prominent notification that informs users how to get Web pages they trust working again
without the moreintrusive prompt that was provided in Windows Server 2003.
What works differently?
For this information, seethe next section, “Whatexisting functionality is changing in Windows Server 2003 Service Pack 1?”
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Add-on install prompts
Detailed description
In previous versions of InternetExplorer included with Windows Server 2003, when a Web pagerefers to an ActiveX control
that is not currently on thecomputer, users areasked whether they want ActiveX controls to be downloaded. In thecurrent
version of InternetExplorer, this prompt is displayed in theInformation Bar.Thefollowing table describes theelements in the
Information Bar.Text in italics will bereplaced by thespecific items appropriateto thesituation.
Information Bar details for Add-on Install Prompts
Information Bar
element
Message text
Information Bar text This site might requirethefollowing ActiveX control: Control_Name from Publisher_Name. Click here
to install…
Short text Installation Blocked
Menu options Install ActiveX Control…
What’s therisk?
Trusted publishers will work as they did in previous versions.Thecontrols thatare provided by these publishers install without
requiring additional configuration.
Blocked publishers display thestatus bar icon.Thecontrol provided by these publishers will not install on thecomputer and
does not go into theInformation Bar.
Add-on upgrades work as they did in Windows XP SP1. InternetExplorer uses thefollowing criteria when determining whether
thecontrol is an upgrade:
Thefilethat is registered as the ActiveX control must besigned with Authenticodetechnology. (This fileis referenced
from HKEY_CLASSES_ROOT\CLSID\Control_clsid\InProcServer32, where Control_clsid is the CLSID specified by the OBJECT
tag.)
The publisher namein the digital signature of the new control matches the publisher namein the digital signature of the
existing control.
If the ActiveX control is packaged in a CAB file, the CAB file must besigned.The DLL or OCX to beinstalled should also be
signed in order for subsequent upgrades to bypass theInformation Bar.
Why is this change important?
Providing add-on install prompts in theInformation Bar rather than a dialog box reduces the occurrences of users
inadvertently installing code on their computer.
What works differently?
Certain Web pages currently rely on users installing codeto function correctly.Somesites redirect the user to a separate page
thatexplains how to install the ActiveX control. If a siteautomatically redirects the page without providing thecontrol on the
new page, theInformation Bar will appear on theredirect pageto offer the opportunity to install thecontrol. If, however, the
sitecloses the window thatattempted to install the ActiveX control, thecustomer might not geta chanceto install thecontrol.
How do I resolve these issues?
Web authors should ensurethat the ActiveX control is also available on the pageto which the user is redirected.This will
ensurethat users haveample opportunity to install thecontrol.
Web pageauthors should not suggest that users lower their security settings, becauseit will not help in this situation.For
additional guidancefor Web authors on thechanges introduced with Windows XP SP2 and subsequently included in Windows
Server 2003 Service Pack 1, see”Fine-Tune Your Web Sitefor Windows XP Service Pack 2″ on the MSDN Web siteat
http://go.microsoft.com/fwlink/?LinkId=32775.
Pop-up blocked notification
Detailed description
InternetExplorer displays a notification in theInformation Bar when a pop-up is blocked.This becomes a more obvious entry
point to the Pop-up Blocker functionality, such as replaying the pop-up,adding thesiteto an “allow” list for pop-ups, or
navigating to Pop-up Blocker settings.TheInformation Bar also provides a top level entry point to turn off theInformation Bar
for pop-ups if the user decides the notification is too big for this event.
Information Bar details for pop-up blocked notification
Information Bar elementMessage text
Information Bar text Pop-up blocked.To seethis pop-up or additional options,click here…
Short text Pop-up Blocked
Menu options Temporarily Allow Pop-ups
Allow Pop-ups for this Site
Settings
Why is this change important?
Showing the pop-up blocked notification in theInformation Bar gives higher priority to that notification. Users havea better
understanding of whereto go to seea blocked pop-up window or to seetheir Pop-up Blocker settings.
What works differently?
Turning off theInformation Bar for the Pop-up Blocker causes the Pop-up Blocker to return to notifying users with thestatus
bar icon. All thesame menu items areaccessiblefrom this status bar icon if the bar is disabled for pop-ups.For more
information, see”InternetExplorer Pop-up Blocker,” later in this document.
Automatic download prompts
Detailed description
File download prompts thatarelaunched automatically now appear in theInformation Bar.
TheInformation Bar includes descriptivetext thatexplains why theaction was taken and provides a context sensitive menu that
you can useto respond to the notification.Thefollowing tableidentifies thetext that will appear in theInformation Bar and the
actions thatyou can select from the menu.
Information Bar details for automatic download prompts
Information Bar
element
Message text
Information Bar text To help protectyour security, InternetExplorer blocked this sitefrom downloading files to your
computer. Click herefor more options…
Short text File Download Blocked
Menu options Download Software…
What’s the Risk?
Why is this change important?
By moving download prompts to theInformation Bar, users can be prevented from installing unwanted code on their
computers. Previously, sites could overwhelm users with file download prompts and,as a result, users could accidentally run
unwanted software on their computer.With this change, file download prompts thatarelaunched automatically are more
likely theresult of a user’s deliberateclick and notan accidental action.
What works differently?
Any timea siterefers to a file download prompt withouta user action, such as clicking on an element of the page, the prompt
appears in theInformation Bar.
How do I resolve these issues?
Web authors should ensurethereis a link on the Web pagethata user can click to get to thefile download. If you usea script
to navigateto theresource, thescript should run synchronously within thecontext of the OnClick event handler for thelink.
For additional guidancefor Web authors on thechanges introduced with Windows XP SP2 and subsequently included in
Windows Server 2003 Service Pack 1, see”Fine-Tune Your Web Sitefor Windows XP Service Pack 2″ on the MSDN Web siteat
http://go.microsoft.com/fwlink/?LinkId=32775.