IE in XP SP2 (Part 2): Information Bar - Stopping the modal dialog madness

See Also: Part 1: Authenticode - No and never again!

The Information Bar is a new piece of UI that shows up when potentially dangerous actions on a page have been blocked. It appears between the toolbar and the content window, and looks a bit like the bar that appears in Outlook 2003 and MSN 8/9 to block images from email messages.

The following are some of the actions blocked by the Information Bar.

ActiveX Install Prompts

In Part 1 I discussed some of the changes made to Authenticode to enhance usability and allow you to block publishers you don't trust. What I didn't mention is that in most cases you won't even see the dialog anymore, because the Information Bar will appear first!

If you're like me, you're wary about installation dialogs for a couple of reasons. First, there's always the possibility you might miss-click and accidentally install something that could be spyware/malware. Next, even though you know not to install unsolicited software, do your friends and family that use your computer understand this? Also, what happens when they stray from mainstream sites and reach a malicious page that bombards them with multiple ActiveX install prompts in an attempt to trap them into installing the software? We've changed some of the plumbing for Authenticode to help prevent multiple prompts, and you can now hold down Esc to both cancel the dialog and stop loading the page, but the the Information Bar goes further by simply not showing the dialog unless you request it.

When you click the bar you're presented with a menu from which you can install the ActiveX control. This temporarily turns off the block and refreshes the page, at which point you will get the Authenticode dialog.

One case that will bypass the Information Bar in this scenario is when a page is using a control that is newer than the one you already have installed. Since you have already trusted the software we permit the Authenticode dialog to show immediately in order to promote upgrades, particularly because upgrades often contain security fixes. A control will only be considered an upgrade if it uses the same CLSID as a control that is installed and it has been signed with the same certificate as the installed control. This helps prevent malicious sites from bypassing the Information Bar by making their control look like an upgrade.

Non-user-initiated Download Prompts

Like ActiveX, if a page tries to push a file download on you, again raising the possibility that you will run (or save and later run) unsolicited software, it will be blocked by the Information Bar. The logic for whether to block downloads is similar to the logic for blocking pop-up windows, so if you directly click a link you'll get the file download dialog unimpeded. Some download sites will have to adapt to this new behavior.

On a side note, we have also turned on the option to verify the signature on certain types of files such as EXEs. This means that when you run software from the download dialog you may get a secondary prompt that shows the same information as the Authenticode dialog (i.e. name and publisher from the digital signature). This prompt helps certify that the file is, indeed, from who it says it is from. File attachments in Outlook Express and a few other scenarios will get the same treatment.

Blocked Pop-up Windows

As with blocked downloads, Jeff Davis is much more qualified to talk about this, but I'll mention a couple of things.

First, the pop-up blocker is now on by default! When a pop-up window is blocked the Information Band will appear, and from there you replay the pop-ups, always allow pop-ups for the site, and configure the pop-up blocker. The first thing I do from here is turn off the Information Bar for pop-ups. They're so common, and so infrequently wanted, that I prefer the lighter weight option of just showing the status bar icon.

ActiveX Control Blocked Errors

If you've ever tried to browse the web with elevated security settings (or on Windows 2003 server) you know that it can be a frustrating experience because of the frequent message boxes stating that "An ActiveX control has been blocked...". Now this'll be pulled into the Information Bar, giving you a less intrusive user experience. Unlike most of the other items in Information Bar, this is not actionable. There is currently no way to temporarily lower your security settings to get the ActiveX install prompt.

This also means that if you're really paranoid, install the interesting/useful ActiveX controls like Flash, and then to go "Tools/Internet Options...", "Security" tab, "Custom Level" (for Internet), and set "Download signed ActiveX controls" to Disable. Now you have no chance of accidentally installing ActiveX controls and the browser is still usable.

Local Machine Zone Lockdown

Local Machine Zone Lockdown is one of the most impactful security mitigations in IE for XP SP2. It deserves an entire blog entry (or several), but, briefly, LMZ Lockdown affects the explorer.exe and iexplore.exe processes, and places severe restrictions on on things such as executing script and running ActiveX controls in the local machine zone (i.e. a local .html file). When the lockdown is in effect you will see the Information Bar with a menu item that lets you temporarily disable the lockdown by reverting to the old Local Machine Zone settings for that instance of the browser.


That's all for now. Note that there may be more (or fewer) actions blocked by the Information Bar in the future, and I haven't necessarily covered them all.

In designing and building these IE security features we've spent a lot of time trying to find the right balance between allowing sites to do what they need (preserving site compatibility), and giving the users more control. This is a very fine line; anything we do to stop the "bad guys" also has the potential to break the "good guys" if they are doing something similar, but for legitimate reasons. Between now and RTM you can expect site compatibility to get a bit better as we implement (safe) workarounds for common scenarios, but if you're a web developer you should not rely on it.

Do you think this will make browsing the web more secure? What about reducing the proliferation of spyware/malware?