Scriptlets are HTML pages with script code that automatically downloads to your computer and executes. Therefore, they pose security problems, like any other ActiveX control. To prevent this, IE4 allows you to define different levels of security. They are:
Each of these levels has some default settings for potentially risky actions, such as downloading files or executing scripts. What IE4 actually does depends upon these settings.
The security features built into IE4 divide the Web into four zones. You can assign a security level to each one. Scriptlets will be downloaded to your computer only if they're coming from a server that you consider trustworthy. To enable scriptlets, set the security level for the specific server they reside on to Medium or Low. Unless you change something in the default settings, any Web server has a medium level of protection.
Furthermore, be sure to accept ActiveX controls marked safe for scripting and to prompt the user on controls that may be unsafe for scripting as well as initialization. The following two figures show just this.
These settings ensure that scriptlets will work properly. A level of Medium or Low is also required for all the child components of a scriptlet.
Security issues are strictly tied to the security zones, which are a new feature of IE4.
Security zones may be seen as a partition of the entire Web. There are sites that you feel can be trusted, and others that you evaluate as unreliable. You would therefore apply different security settings to them. The policy one-setting-fits-all is not so flexible and smart. Security zones have been introduced just to fill this gap.
All the files you can receive and access belong to one of the four main areas:
For the sake of generality, you can add the local files (My Computer) to these. Different security settings can apply to any of these four areas. Local Intranet includes all the documents that aren't local to the machine but accessible through a local network. Trusted and Restricted Sites enumerate a number of Web sites addresses. You can add or remove sites from these lists with IE4, using the menu command View| Internet Options| Security or by right-clicking the IE4 shortcut on the desktop and selecting Properties| Security. All the Internet addresses that don't belong to both Trusted and Restricted zone are by default part of the generic Internet Zone.
While talking of medium, high or low security level, we're addressing a collection of specific actions for which you have three options:
Enable means that the action executes silently. Prompt requires a confirmation, while Disable silently ignores it. This is clear if you look at the previous figures.
Each predefined level has a bunch of settings for specific risky actions. You can also choose to define your own set of options.
Each Internet zone has a different level of security that you can adapt to your own needs. By default, they are:
Zones | Security Level |
Local Intranet | Medium |
Trusted Sites | Low |
Internet Zone | Medium |
Restricted Sites | High |
My Computer | ------ |
IE4 shows the zone from which the document you're currently viewing is coming on the status bar. In the table above, we've added also a fifth zone, called My Computer, which encompasses all the local files.
Local files are considered inherently safe by IE4, and security checks never apply to them. Furthermore, you can't add local files or folders to any of the Internet security zones.
Fig. 4.15 – Defining settings for IE4 Security Zones.
Scriptlets are downloaded to your computer only if their original Web server belongs to a zone whose security setting is Medium or Low. If you maintain the IE4 default settings, and put a Web site in the black list of the Restricted Zone, then you won't be able to get scriptlets from there. In fact, the default security level is High for Restricted sites. No matter the zone to which the site belongs, what really matters is its security level.
For instance, if you turn the level for Restricted Sites to Medium then you always get scriptlets from everywhere. Of course, the opposite is also true. If you turn the security level of your local Intranet to High, then IE4 never accesses scriptlets on any of the connected machines.
If you're using standard security levels (High, Medium, Low) then you just have to make sure that the level of the desired site is Medium or Low. What if you're using custom settings for any of the zones? In this case, to have scriptlets working properly just enable IE4 to accept ActiveX controls marked safe and to prompt or accept those marked as unsafe.
Why don't scriptlets execute if you have a High level of protection? Because then, by default, IE4 ignores controls not marked safe for scripting. From the IE4's point of view, scriptlets are just unmarked controls.