To start the IEAK Profile Manager
Internet Explorer is a suite of Internet software that includes several communication and collaboration tools in addition to the Internet client. It is completely integrated with the Windows 98 operating system and cannot be uninstalled. Various optional components, however, can be uninstalled at any time.
Certain Internet Explorer components are optionally installed when you install Windows 98. If you do not choose a particular component and wish to install it later, you can do so using the Add/Remove Programs function of Control Panel and selecting the desired components from Windows Setup. You can also install Internet Explorer components from the Add-Ons page of the Internet Explorer Web site. For more information and to download components, see http://www.microsoft.com/ie/ie40/download/addon.htm.
The Internet Explorer Administration Kit (IEAK) Profile Manager is an administrative tool that can be installed on your computer from the Microsoft Windows 98 Resource Kit compact disc. The Profile Manager simplifies the creation and maintenance of custom Internet Explorer configurations. Network administrators can use the Profile Manager to create, save, and load Internet Explorer profiles that customize settings for Internet Explorer. These profiles are stored in INS files that encapsulate Internet Explorer parameters and are structured very much like Windows INI files.
There are three types of IEAK profiles, all of which work together to give you the flexibility you need:
Per-user profile.
The INS file that contains settings for an individual user. The file name usually consists of the user logon name plus the .ins file extension.
Group profile.
The INS file that contains settings for a group (such as a division or department). The file name usually consists of the group name plus the .ins file extension.
Default profile.
The INS file that contains settings that Internet Explorer uses if it does not find a per-user or group INS file. The file name is Default.ins.
The Profile Manager can also read Windows policy template (ADM) files. This ability means that administrators can create their own custom templates to define additional settings and restrictions for Internet Explorer and import them to the Profile Manager using Import on the Policy menu. When you use custom policy templates, the Profile Manager generates an INF file using the file prefix from the ADM file. For example, if you import a file called Custom.adm, a Custom.inf file is created.
Important
When you import custom policy (ADM) files to the Profile Manager, it is wise to select Check Duplicate Keys on the Policy menu to check for duplicate registry keys in the templates, and delete any duplicates from your templates.
For more information about policy template files, see Chapter 8, "<a href="wrkc08.htm">System Policies."
The IEAK Profile Manager can be installed from the Netadmin\Profmgr directory on the Microsoft Windows 98 Resource Kit compact disc.
To start the IEAK Profile Manager
The Profile Manager is organized into a left-hand pane showing a hierarchical tree of objects and a right-hand pane showing the options. When you select an object in the tree in the left-hand pane, the options and settings for that object appear in the right-hand pane. You can change options or specify settings as necessary to manage automatic browser configurations.
The Profile Manager provides two categories of settings that you can specify: Wizard Settings and System Policies & Restrictions.
Furthermore, you can specify desktop, shell, and security settings across your organization. You can customize numerous settings, ranging from default Start and Search pages to users’ permission to transfer files when using NetMeeting.
You can control or lock down features and functions. For example, you can use the System options under the Shell category to prevent Windows 98 users from restarting their systems in MS-DOS mode. You can also use the Security option under Internet Properties to prevent users from changing any of the security settings on the Security property page in Internet Explorer. When features are locked down, they either do not appear or appear in gray type on the user’s desktop.
Before changing system policies and restrictions, you should understand the impact of the security settings on your users, especially if you have roaming users who share computers with other users. Consider, for example, the implications of removing icons from the desktop, or not allowing users to change their security settings. Make sure that your users understand what features they have access to and what features need to be configured by your IT organization.
For more information about the IEAK Profile Manager, see Help in the Profile Manager or the Microsoft Internet Explorer Resource Kit. The Microsoft Internet Explorer Resource Kit (for Internet Explorer 4) is available from Microsoft Press, or you can download a copy from the Internet Explorer Web site at http://www.microsoft.com/ie/corp/.
To ensure the security of corporate networks while allowing users access to the World Wide Web, many organizations use a proxy server. A proxy server can run on a company’s firewall computer, which acts as a security barrier between the local network and outside networks, such as the Internet. The proxy server can also speed up access to certain Web sites, because it caches frequently requested uniform resource locators (URLs).
The Internet Explorer browsing software supports the use of proxy servers. You can configure it to use a different proxy for each Internet Protocol (IP). You can do this configuration either manually or automatically using the Connection tab of the Internet Options property page.
You may want to configure your proxy settings manually.
To configure proxy settings manually
Important
When you enter exceptions, be sure to enter both the relevant names and the relevant IP numbers; if you enter only IP numbers, users who browse a site by name will still be sent by way of the proxy server and vice versa.
The Internet Explorer browsing software allows administrators to configure proxy settings, such as server addresses and bypass lists, automatically. Administrators can use the IEAK Profile Manager to configure proxy settings or to create a settings file (JS, JVS, or PAC) using JScript.
Internet Explorer can be configured to retrieve proxy settings automatically for each Internet Protocol (Hypertext Transport Protocol [HTTP], File Transfer Protocol [FTP], Secure [HTTPS], Gopher, SOCKS), from an INS file created with the Profile Manager or from an HTML file that contains JScript or JavaScript, which executes whenever a network request is made. Multiple proxies can be configured for each protocol type, and Internet Explorer can automatically cycle through the different proxy servers to avoid overloading any particular server.
Automatic Proxy Configuration provides the following benefits:
Centralized management and compatibility.
Automatic Proxy Configuration makes it easy to administer a distributed network of PCs running Windows 98 by allowing administrators to set proxy configurations in a central location for all users. Any changes are propagated to all users as they run their browsers, without disrupting the work process.
Most compatible management solution.
With Internet Explorer, support for both IEAK Profile Manager settings and JScript configurations ensures maximum compatibility with existing installations.
You can use a text editor to create automatic proxy configuration (JS or PAC) files that dynamically assign browser proxy settings based on the location of hosts. Automatic proxy configuration files are JScript files. When an automatic proxy configuration file is specified, the Internet Explorer browsing software uses the proxy auto-configuration script to determine if it should connect directly to a host or use a proxy server. You can use automatic proxy configuration files to configure users automatically to use different proxy servers for different domains.
The following example shows a proxy auto-configuration function that checks to see whether the host name is a local host, and if it is, whether the connection is direct. If the host name is not a local host, the connection is made through the proxy server. In the following example the server name is "proxy1."
function FindProxyForURL(url, host)
{
if (isPlainHostName(host))
return "DIRECT";
else
return "PROXY proxy1:80";
}
The isPlainHostName() function checks to see if there are any dots in the host name. If there are, it returns false; otherwise, the function returns true.
Although it is advantageous to use the IEAK Profile Manager to customize Internet Explorer so that automatic configuration is enabled before you deploy Windows 98, it is not difficult to turn it on after the fact. This procedure can be done in Automatic Browser Configuration under Wizard Settings in the Profile Manager. You can specify the URL of the INS file to be used for automatic configuration, as well as a time interval (in minutes) for auto-configure to occur.
Important
If you set up auto-configuration with the IEAK Profile Manager, you should then prevent your users from changing the auto-configuration settings. This step can be done under System Policies & Restrictions in the Connection tab of Internet Properties.
Users can manually point Internet Explorer to the URL of the auto-configuration file. This task needs to be done once, and then you can lock down the settings (as described earlier) so that your users cannot change them.
To set up automatic configuration manually
Note
Some auto-configuration settings require the system to be restarted before changes to the system registry take effect.
As you view Web pages, the Internet Explorer browsing software stores them in the Temporary Internet Files folder on your hard disk to make browsing more efficient. Internet files are also stored in this "cache" when you subscribe to Web sites or use offline browsing.
To configure cache settings
Note
If you change the folder where temporary Internet files are stored, viewing the %Windows%\Temporary Internet Files folder will still reflect files in the cache. This is because that folder is referencing a Shell Handler, not the actual files.
To view temporary Internet files or downloaded objects
– Or –
Click View Objects to view downloaded program files.
Internet Explorer supports many existing and emerging security standards, such as digital certificates, making it the most secure browser available. With it, you can conduct private communications, protect your identity on the Internet, protect your computer from potentially damaging code, prevent others from tracking your activities, and restrict the viewing of certain sites on your computer. You can even verify the identity of Web servers and positively identify yourself to those servers when desired. This restriction means that online consumer transactions and banking can be conducted with privacy and security.
The following security features make it easier for you to protect your computer and your privacy while using the Internet Explorer browsing software:
Security zones.
This feature allows you to divide the Web into zones and have Internet Explorer provide different levels of security, depending on which zone you have assigned to a Web site.
Authenticode technology.
Microsoft Authenticode™ certificates identify the publisher of a piece of software and verify that it has not been tampered with to help you decide whether to download it.
Privacy Protection.
Internet Explorer supports all standard Internet security protocols to ensure your privacy when you communicate over the Web.
Certificate management.
Digital certificates are electronic credentials that establish an individual’s or organization’s identity on the Internet. With certificate management, you can control which Java applets, ActiveX controls, and other software can be run on your intranet, based on who published the software.
Trust-based security for Java.
The new Internet Explorer security model for Java makes it easy to control how Java applets can interact with your computer system. This cross-platform security model provides fine-grained administration of the permissions granted to Java applets and libraries.
These security features are described in more detail in the following sections.
The Internet Explorer security zones divide the Internet or intranet into zones with different levels of security. This capability permits setting global browser defaults for allowing all content on "trusted" sites or disallowing content, such as Java applets or ActiveX controls, depending on the Web site of origin.
The Internet Explorer browsing software comes with four predefined zones: local intranet, trusted sites, Internet, and restricted sites. Using the Internet Properties dialog box, you can set the security options you want for each zone and then add or remove sites from any zone (except Internet), depending on your level of trust in the site. In corporate environments administrators can set up zones for users and even add or remove, in advance, the authentication certificates of software publishers that they do or do not trust so that users do not have to make security decisions while they are using the Internet.
For each security zone you can choose a high, medium, low, or custom security setting. Although Microsoft recommends the high setting for sites in a zone of uncertain trustworthiness, you can safely use the medium setting in a trusted zone. The custom choice gives advanced users and administrators more control over all security options, including the following:
Table 20.1 shows the default settings for each security zone.
Table 20.1 Security zone default settings
| Zone | Default setting |
|---|---|
| Trusted sites zone | Low (do not warn before running potentially damaging content). |
| Local intranet zone | Medium (warn before running potentially damaging content). |
| Internet zone | Medium (warn before running potentially damaging content). |
| Restricted sites zone | High (exclude content that could damage your computer). |
To configure security zones
– Or –
In Control Panel, click the Internet icon.
You can add sites to the Local intranet, Restricted sites, and Trusted sites security zones. The local intranet zone is comprised of all the sites behind your company’s proxy server or firewall. All Web sites that are not included in one of the other zones are automatically assigned to the Internet zone.
Note
Web sites can be addressed by either Domain Name System (DNS) name or IP address. For sites that use both, it is important to configure both references to the same zone.
To add sites to the Trusted or Restricted zone
– Or –
In Control Panel, click the Internet icon.
To add sites to the Local intranet zone
– Or –
In Control Panel, click the Internet icon.
Note
The Internet Explorer browsing software allows you to use a wildcard character (*) when entering the address of a Web site you wish to add to a security zone.
For more detailed information about Internet Explorer security zones and security settings, see the Microsoft Internet Explorer Resource Kit. The Internet Explorer Resource Kit is available from Microsoft Press, or you can download a copy from the Internet Explorer Web site at http://www.microsoft.com/ie/corp/.
Administrators can use the IEAK Profile Manager to configure Internet Explorer security zones and keep users from changing security zone settings on their computers. Click Security Zones and Content Ratings Customization under Wizard Settings to customize security zones settings. Lock down these settings by expanding Internet Properties under System Policies & Restrictions and then clicking the Security tab.
Important
If you have users who roam from one computer to another, consider the implications of selecting the first option, Use machine settings for security zones ONLY. This prevents users from having their own security settings when they are logged on to a different computer, and they inherit whatever settings are associated with that computer.
Microsoft Authenticode technology allows you to verify both the publisher and the integrity of specific code found on the Internet. You can make informed decisions about whether to download the specific code, as well as whether to block execution of specific types of downloadable code, such as Java applets.
Authenticode works with VeriSign, a leading certificate authority. VeriSign is responsible for issuing digital certificates (which the company refers to as "digital IDs") and continuously verifying that the certificates are still valid.
If a piece of software has been digitally signed, Internet Explorer can verify that the software originated from the named software publisher and that it has not been tampered with. Internet Explorer displays a verification certificate if the software passes the test.
The new Authenticode time-stamping feature establishes that a piece of software was properly signed during the valid lifetime of a publisher’s certificate. (Certificates have a limited lifetime to prevent giving counterfeiters enough time to eventually crack the code associated with the certificate.)
Developers can find tools for signing their code through the ActiveX software development kit (SDK).
This section describes the various aspects of privacy protection built into the Internet Explorer browsing software.
Secure channel services.
Support for Secure Socket Layer (SSL) version 2.0/3.0 and Personal Communications Technology (PCT) version 1.0 ensures that personal or business communications using the Internet or intranet are private. The SSL and PCT protocols create a secure channel so that no one can eavesdrop on communications. With secure communications guaranteed, you can buy consumer goods, reserve airplane tickets, or conduct personal banking on the Internet.
Transport Layer Security.
Transport Layer Security (TLS) is a new secure channel protocol under development by the Internet Engineering Task Force (IETF). TLS builds on existing protocols to create an improved Internet secure channel protocol.
Personal Information Exchange.
The Personal Information Exchange (PFX) is a set of public key-based security technologies that is part of the Microsoft Internet security framework. PFX supports such Internet standards as X.509 and Public Key Cryptography Standards (PKCS) #7 certificate formats. Microsoft has submitted PFX for consideration as a new PKCS standard.
Cookie privacy.
Some Web sites use cookie technology to store information on a client computer. These cookies are usually used to provide Web site personalization features. With Internet Explorer, you can choose whether to store a cookie by making the desired selection on the Advanced tab of the Internet Options dialog box.
SOCKS firewall support.
Many corporations provide their employees with access to the Internet through firewalls that protect the corporation from unwanted access. SOCKS is a standard protocol for traversing firewalls in a secure and controlled manner. Internet Explorer is compatible with firewalls that use the SOCKS protocol. Hummingbird Communications, a leading provider of firewalls, provides this support.
Windows NT Server challenge/response.
Corporations can take advantage of the Microsoft Windows NT Server LAN Manager (NTLM) challenge/response authentication that is already in use on their Windows NT Server networks. This provides users with increased password protection and security while remaining interoperable with their existing Internet information servers.
CryptoAPI.
CryptoAPI version 2.0 provides the underlying security services for secure channels and code signing. Through CryptoAPI, developers can easily integrate strong cryptography into their applications. Cryptographic Service Provider (CSP) modules interface with CryptoAPI and perform functions, including key generation and exchange, data encryption and decryption, hashing, digital signatures, and signature verification. CryptoAPI is included as a core component of the latest versions of Windows. Internet Explorer automatically provides this support for earlier versions of Windows.
PICS standards for Internet content.
Parents want assurances that children can be blocked from visiting sites that display inappropriate information. Corporations have similar concerns, wanting to block the use of sites that offer no business value to their employees. Microsoft has been working closely with the Platform for Internet Content Selection (PICS) committee to help define standards for rating Internet content. Internet Explorer supports the PICS standard, which means that you can control access to rated Web sites or use third-party rating bureaus to control access based on content. For more information about third-party rating bureaus, see the PICS specification at http://www.w3.org/pics/.
Microsoft Wallet.
Microsoft Wallet supports securely storing important and private information, such as credit cards, electronic driver’s licenses, ATM cards, and electronic cash. No application or person can view this information without your permission. In addition, you decide where to store the information (on a computer, smart card, or floppy disk). You have to enter password or account information only once and do not have to remember many different passwords. You have complete control over who can see or use this information. Wallet allows information to be securely transferred to any computer and used with any application through the use of PFX technology. Wallet supports additional payment methods (such as Internet cash) as well as other credentials and confidential information.
Note
Microsoft Wallet is an optional component of Internet Explorer and must be selected under Internet Tools when installing Windows 98.
To add or modify personal information or payment methods
– Or –
In Control Panel, click the Internet icon.
With Certificate Management, administrators can control which Java applets, ActiveX controls, and other software can run on their intranets based on who published the software. This control makes administering network security relatively easy. Certificates are assigned only to software publishers who meet industry guidelines for security and integrity.
Through the IEAK, administrators can pre-install certificates on users’ computers and block them from downloading any other certificates. The benefit of such pre-installation is two-fold. First, it gives administrators greater control. Second, it reduces the number of warnings and choices that are presented to users when they download software from the Internet.
After initially installing Windows 98, administrators can remotely manage all allowed publisher and site certificates by adding new certificates or removing certificates from the list.
For more information, or to license and download a copy of the IEAK, visit the IEAK Web site at http://ieak.microsoft.com/.
Personal certificates verify your identity on the Web. You can obtain a certificate from a certifying authority, an organization responsible for issuing certificates and continuously verifying that the certificates are still valid. The certificate provider preferred by Microsoft is VeriSign.
For more information on obtaining a personal certificate, see Chapter 22, "<a href="wrkc22.htm">Electronic Mail with Outlook Express."
You can view both personal and site certificates at any time in the Internet Explorer browsing window.
To view security certificates
– Or –
In Control Panel, click the Internet icon.
Note
You can also import or export personal certificates. (The file extension is .cer or .p7c.)
Trust-based security is a cross-platform security model that adds intermediate levels of trust to the Java security model. It enhances administration of the Java Virtual Machine (VM) by providing flexible control over permissions granted to Java classes, such as access to scratch (storage) space, local files, and network connections. This allows an application to be given some additional permissions without being offered unlimited access to all other permissions in the system.
For more information about Java and the Java VM, see "Java" later in this chapter, or visit the Microsoft Java Web site at http://www.microsoft.com/java/.
Trust-based security zones.
Administrators can manage Java classes with the same trust level as a group by assigning them to the same zone. For more information about Internet Explorer Security Zones, see "Configuring Security Zones" earlier in this chapter. Administrators can configure three different sets of permissions for each zone, for both signed and unsigned code:
Permissions model.
This model supports a rich set of permissions that administrators can control with parameters and individually grant or deny for a particular zone. To reduce the number of options that administrators have to specify in common cases, the administrative user interface for trust-based security supports several preset permission sets that can be applied.
Permission signing.
Permission signing extends signed Cabinet (CAB) file functionality by allowing a signed CAB file to specify securely not only the identity of the signer, but also the set of permissions being requested for the signed classes. Because the permissions are understood by the Java VM, a Java component can read the signature and provide an accurate warning about the risks of each permission.
Permission scoping.
Permission scoping prevents permissions granted to a trusted component from being misused, either intentionally or inadvertently, by a less trusted component. Permission scoping allows a class to precisely limit the range of code for which a granted privilege is enabled for use.
Package Manager.
Package Manager allows the installation of local class libraries that are not fully trusted, using permission signing. This is important for components, such as JavaBeans, that need to reside on the local computer and have some expanded privileges but should not have unlimited power.
Trust User Interface.
The user interface defined by trust-based security for Java shields users from complicated security decisions and reduces the number of security-related dialogs they must answer. When deciding whether to trust an application, users need only make a simple "Yes/No" choice, because an administrator has already made the fine-grained decisions of what is left to the discretion of users for a particular zone.
The Internet Explorer Profile Assistant provides a simple way for you to store personal information that can be shared with specified Web sites. This information is completely private and secure, in that others cannot view or access it without your permission. Profile Assistant saves you from having to type in registration or demographic information each time it is requested. The Profile Assistant secure client profile is populated by default with registration information collected by Internet Explorer. If there is no data, or you wish to edit the information previously collected, you can access your profile at any time.
To access personal information in Profile Assistant
– Or –
In Control Panel, click the Internet icon.
Note
Profile Assistant can be disabled using the Advanced tab of the Internet Options dialog box. If you disable Profile Assistant, all requests from Web sites for personal information must be handled manually.
When a Web site requests user information, such as an e-mail address, Profile Assistant opens a dialog box that provides you with the URL of the site, the specific information requested, the purpose of the request, and whether the site has a secure connection. You can then decide what information, if any, you wish to share. There is also an option you can choose to always allow this site to see the specific items you have selected.
If you have given permission for certain sites to always have access to some or all of your personal profile information, you can revoke that access at any time.
To revoke permissions previously granted to sites
– Or –
In Control Panel, click the Internet icon.