In association with heise online

Security settings

Settings highlighted in blue are a compromise between a Web site's security and usability, green settings provide the maximum protection. Black settings refer to the default values of new installations. If an option does not provide a blue setting, the default setting constitutes a reasonable compromise.

ActiveX control elements constitute a major risk and should only be loaded and launched upon the user's explicit confirmation. This also applies for (perhaps local) controls marked as "safe". Unsigned ActiveX controls should never be used at all.

Active scripting includes the setting for JScript and VBScript. Since scripting often is a prerequisite for exploiting security holes, users should disable it, although part of the functionality is then lost for many sites. The option prompt is not viable in this case since users would have to switch off alerts all the time, which reduces the usability of a Web site as much as disabling scripting, if not more. Therefore, such alerts should only be activated for paste operations and for scripting Java applets; these do not occur very often.

A viable compromise is to work with various zones. Disable the active scripting option in the Internet zone and put all trusted sites that require active scripting onto the list of trusted sites. This is a quick means of obtaining a configuration where important functions work properly, while the majority of risks are eliminated.

"Allow paste operations via script" permits a Web page to access the clipboard. This entails a certain degree of risk that may be managed by selecting the Prompt option. The clipboard could well contain confidential information from other applications.


Most input fields of Web pages require the transfer of unencrypted data from forms, which must therefore be permitted as a general setting.

Users should only permit the creation of objects on the desktop in exceptional cases.

IFRAMES and framesets, which display various Web sites in several frames (and thus hide the origin of these pages), should only be permitted in exceptional cases since the risks of abuse are manifold.

If the transfer of unencrypted data from forms is disabled, many contact forms and search engines can no longer be used.

The software channel transfers programs to a user's computer if he has subscribed to such a channel. Since programs might be infected with viruses or might contain Trojans, users should carefully select the programs to be stored on their computer and check their origin.


  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit