B&TW: IE Priv-Sec

Internet Explorer Privacy & Security Settings

This page provides a guided tour of most of the major privacy and security settings within Internet Explorer. We'll cover the following aspects of privacy and security in Internet Explorer:

Section Topics Covered

First Things First: What Version Do You Have? How to find your Internet Explorer version

Clearing Junk from the General Tab How to clear Temporary Internet Files & URL History

Securing the Internet Zone How to configure ActiveX controls, Java applets, scripting, & cookies safely

Managing Cookies On the Internet
Explorer 6.0 Privacy Tab How to configure cookies in Internet Explorer 6.0

Selectively Deleting & Managing Cookies How to selectively delete & manage cookies

Other Important Internet Explorer Settings How to configure Miscellaneous settings

Summary of Internet Zone Settings Review the Internet zone settings

Adding Sites to the Trusted Zone How to use the Trusted sites security zone

If you need more information about the key privacy and security issues that we'll cover on this page (the browser cache, the URL history, active content, and cookies), then see THIS page, which provides a short introduction to these several topics.
For a Summary of the Settings...
If you're already familiar with Internet Explorer's Security and Privacy settings and how to configure them, you may be interested in jumping ahead to a quick summary of the settings recommended on this page.
If you need a little help navigating the Internet Options box and making sense of all the settings you'll find there, however, please do continue reading.
Browser Versions Covered
The screenshots you'll see are from Internet Explorer 5.01 w/SP2 and Internet Explorer 6.0, except where noted. With a few exceptions (most notably the Internet Explorer 6.0 Privacy tab), these screenshots are just what you'll find in the following versions of Internet Explorer:

Internet Explorer 4.0x
Internet Explorer 5.0x
Internet Explorer 5.5x
Internet Explorer 6.0x

To find out what version of Internet Explorer you have, see the first section, First Things First: What Version Do You Have?
Windows XP SP2
In August 2004 Microsoft released Service Pack 2 for Windows XP. This upgrade package for Windows XP adds some significant new privacy and security features to the version of Internet Explorer found in Windows XP. At this time, we do not cover those new privacy and security features on this page.
For a summary of the new privacy and security features added to Windows XP, see the following documents from Microsoft:

Windows XP Service Pack 2 - Security Information for Developers

Changes to Functionality in Microsoft Windows XP Service Pack 2

Windows XP Service Pack 2: A Developer's View

AOL Web Browser
If you're using the AOL web browser, you are actually using Internet Explorer, even if you never realized it. The AOL web browser merely puts a different "face" (a different "interface" or "front end") on Internet Explorer. Consequently, the AOL web browser does use the same Internet Explorer privacy and security settings that we discuss in this document.
We'll show you how to find the version of Internet Explorer that your AOL web browser is relying upon. We'll also show you how to access privacy and security settings from within AOL. Be sure to read the note on AOL Services & Web Sites below for information on taking one additional step to ensure that AOL remains completely functional on your computer.
Finally, the AOL web browser does allow you to configure other preferences related to your privacy and security, however, these preferences are specific to AOL itself (i.e., they're not part of the Internet Explorer browser that AOL relies upon). You can get a brief overview of these other AOL preferences on THIS page.
All the screenshots you'll see for AOL are from AOL 7.0. Other versions of AOL should present you with very similar options and controls.
Internet Zone Settings
Most of the Internet Explorer settings that we'll be configuring apply to the Internet zone. The Internet zone is the default zone that all web sites fall into unless the user explicitly adds them to another zone (e.g., the Trusted sites zone or the Restricted sites zone). It's important to lock down the Internet zone as tightly as possible because a secure Internet zone is, in many ways, our first line of defense against potentially dangerous web sites. With a secure Internet zone, you'll never be unpleasantly surprised by a web site you're visiting for the first time. Locking down the Internet zone means that you will:

be protected from rogue spyware installations (e.g., Gator, BonziBuddy,
WebHancer, Lop.com, and the like);

put an end to annoying, useless pop-ups at most web sites by default;

be protected against security holes in active content that might let
hackers and crackers compromise your system and your personal
data;

put all web sites on a "short leash" until you trust them enough to add
them to your Trusted sites zone.

We'll also be disabling cookies for most web sites by default. Doing so ensures that you won't be accepting cookies from direct marketing outfits who seek to monitor and track your travels around the Net.
Balancing Privacy, Security, & Convenience
While a securely configured Internet zone gives us a good deal of protection against the more dangerous elements on the World Wide Web, that security and privacy comes at a price. A tightly configured Internet zone will break some web sites by default. That problem is easily corrected, though. If you trust a web site you're visiting to respect your privacy and security, you can add that web site to the Trusted sites zone. (See the last section for instructions of using the Trusted sites zone.) The Trusted sites zone uses a less restrictive set of privacy and security policies than the Internet zone. Once added to the Trusted sites zone, the web site should start functioning properly.
Adding web sites to the Trusted sites zone is easy, but it is an extra step, a task you may not have had to do before. That's the nature of privacy and security -- it comes at a price. Locking the door to your house or apartment gives you security and peace of mind, but it also means that you have to carry around a key (which can be lost) and that you have to spend a few more seconds getting back inside. That's a tradeoff, but it's a good one that most of us are willing to make. That same kind of tradeoff is at work on the Internet. If you want to protect your privacy and security while surfing the web, you'll have to take precautions and adjust to the tradeoffs that result.
Cookie Settings, Deletion, & Management

One note about configuring cookies in Internet Explorer: Internet Explorer 4 and 5 use different settings to configure cookies than does Internet Explorer 6. This is the biggest difference between Internet Explorer 4 and 5 on the one hand, and Internet Explorer 6 on the other.

We'll cover how to configure and manage cookies for Internet Explorer 4 and 5
in step 6 of the section titled Configuring the Internet Zone. The settings you see
in that step 6 do not appear in Internet Explorer 6, only Internet Explorer 4 and 5.

We'll cover Internet Explorer 6's cookie settings in the section titled Managing
Cookies On the Internet Explorer 6 Privacy Tab.

Please also note that in addition to configuring cookies (i.e., setting the browser to accept or reject cookies), we'll also explain how to selectively delete and manage cookies.
These two tasks are related (in that they both concern cookies), but they are ultimately different tasks. Some users will prefer to simply configure Internet Explorer to reject cookies. Other users will want to let Internet Explorer accept all cookies and then manage cookies selectively themselves, deciding which cookies to keep and which cookies to delete. We'll cover both topics.

First Things First: What Version Do You Have?

	Before we get started, let's figure out what version of Internet Explorer you're running. You'll need to know this information for some of the steps we go through later.

	To find your version of Internet Explorer, click Help >> About Internet Explorer on the Internet Explorer menu bar...



	A small box should open up with version information.



	Notice the Version: line. Usually folks refer just to the first few numbers to identify the program version, which is 6.0, in this case. You might see other versions like 4.0, 4.01, 5.0, 5.01, or 5.5. Also note the Update Versions: line. In this case it's SP1 (which stands for Service Pack 1). You might also see SP2 (Service Pack 2). On this line you might see other information like Q318293 -- those numbers indicate that individual security patches from Microsoft (perhaps from Microsoft's Windows Update service) have been installed. You can ignore these. Putting the Version: line and the Updates: line together gives us the complete program version: Internet Explorer 6.0 with SP1.

	Click the OK button to close this box when you have the information you need.

	**AOL Web Browser**

	The AOL web browser is actually just a fancy front-end to Internet Explorer. Although you may not have realized it, when you're surfing the web with AOL's web browser, you're actually using Internet Explorer underneath. Moreover, the AOL web browser relies upon the same privacy and security settings that we'll discuss in this document.

	Different versions of AOL install different versions of Internet Explorer. To find out what version of Internet Explorer is installed on your system, you'll have to locate and open Internet Explorer itself, instead of just the AOL web browser. Look on your desktop or your Start menu for an icon that resembles the following:



	Once you find such an icon, double-click on it to open Internet Explorer. With Internet Explorer open, you can locate the version information that we describe above.

	You can also locate version information for Internet Explorer from within the AOL web browser itself. Use the AOL Keyword BROWSER. You'll receive a small box with version information for Internet Explorer:



	The Current Status: line lists the version of Internet Explorer that the AOL web browser is using (Internet Explorer 5.5 with SP2, in this case).

	By the way, if you're an AOL subscriber, you're not restricted to using the AOL web browser for your web surfing. After you've established a connection to AOL, you can minimize the AOL program and open Internet Explorer as we did just above and surf the Internet as you normally would. To access AOL's special areas and content (including your AOL email account), you'll have to use the AOL program that you normally do.

	In the next section, we'll describe how to access the privacy and security settings from within the AOL browser.

Clearing Junk from the General Tab

	First, we'll clear some routine junk that accumulates every time you surf the Web with Internet Explorer. Many users find it helpful to clear this junk every time they finish surfing the web. It only takes a few seconds, and it helps keep your browser and PC free of junk that can degrade system performance and compromise your privacy. For more information on the privacy issues involved with this junk -- which accumulates in the URL History and Temporary Internet Files -- see THIS page.

1.	Open the Internet Options Box

	All of Internet Explorer's privacy and security settings can be accessed from the Internet Options box. To open Internet Options, select Tools >> Internet Options... on the menu bar. (If you're using any version of Internet Explorer 4, select View >> Internet Options...)



	The Internet Options box will open. (If you're not an AOL user, you can move ahead to the next step.)

	*AOL Internet Properties*

	The AOL web browser is actually just a fancy front-end to Internet Explorer. Although you may not have realized it, when you're surfing the web with AOL's web browser, the AOL browser is actually using Internet Explorer underneath. AOL's embedded Internet Explorer web browser does rely upon the privacy and security settings from Internet Explorer. Not only can you clear the browser cache (Temporary Internet Files) and URL History, but AOL's web browser will respect the Internet zone Security settings that we'll discuss in the next section. From within the AOL web browser you can access the same Internet Options box that you find in standard versions of Internet Explorer. In AOL, go to Settings >> Preferences.



	On the Preferences box that pops up, you'll see a link to Internet Properties (WWW). Click on that link.



	A dialog box titled AOL Internet Properties will open.



	This is essentially the same Internet Options box that we discuss in the rest of this document. From this box you can access all the privacy and security settings that we'll cover in this document, with the possible exception of the Internet Explorer 6.0 Privacy settings, depending on what version of Internet Explorer is installed on your system. To find out what version of Internet Explorer your AOL web browser is relying upon, see the first section of this document.

2.	Delete Temporary Internet Files & History

	The Internet Options box opens on the General tab. On this tab we can delete Temporary Internet files as well as the URL History (which automatically clears the typed URL dropdown list as well).



	Note that we can also set this History to be kept in number of days. Many users set this number to 0, as in the screenshot above, to prevent the History being saved across browsing sessions.

3.	Delete Cookies (Internet Explorer 6.0 only)

	If you're running Internet Explorer 6.0, you will see one additional button that is not present in earlier versions of Internet Explorer: a Delete Cookies... button. This button will clear all cookies from Internet Explorer 6.0.



	Remember: this Delete Cookies button appears only in Internet Explorer 6.0, not previous versions of Internet Explorer. If you're running an earlier version of Internet Explorer and want to delete cookies, then you'll have to delete cookies from the Temporary Internet Files directory (see the fifth section on this page below for instructions).

	*Delete All Cookies?*

	Keep in mind that if you delete all cookies, some web sites, esp. those with which you have registered, may not work properly or may fail to recognize you when you return. You might want to keep cookies for those kinds of web sites. If you do want to keep any cookies, then you'll have to use some other strategy to manage cookies. Instead of using this Delete Cookies button, you can: delete cookies selectively (see the fifth section on this page below for instructions); or configure Internet Explorer to selectively block some cookies but accept others (see the fourth section on this page below for instructions).

Securing the Internet Zone

	Next, we'll switch to the Security tab so that we can securely configure such things as ActiveX, Java, and Scripting. We'll also configure Cookies, but only in pre-IE 6.0 versions of Internet Explorer (Internet Explorer 6.0 uses the Privacy tab to configure cookies, which we'll discuss later on this page). *AOL Web Browser* Remember: if you're using the AOL web browser, your web browser relies on Internet Explorer and will respect the Security settings we describe below. To learn how to access these settings within AOL's web browser, see the previous section. Once you securely configure the Security settings as we describe below, you may need to take one additional step to ensure that all of AOL's services and web sites remain functional on your computer. See the note on AOL Services & Web Sites below for more information. Finally, the AOL web browser does allow you to configure other preferences related to your privacy and security, however, these preferences are specific to AOL itself (i.e., they're not part of the Internet Explorer browser that AOL relies upon). You can get a brief overview of these other AOL preferences on THIS page.

1.	Switch to the Security Tab

	Click on the Security tab so that we can access Internet Explorer's security zones.



	The Security tab allows us to select the zone we wish to configure and then configure it.

	*Working with Security Zones*

	Internet Explorer classifies web sites by Security zone: Internet, Local intranet, Trusted sites, Restricted sites. Each zone has its own set of security settings, allowing users to force web sites to follow different security policies, depending on the level of trust for those web sites. By default, all web sites fall into the Internet zone unless they're added by the user to one of the other zones. When we visit a web site for the first time, for example, it will fall within the Internet zone. If we don't add it to another zone (e.g., the Trusted sites or Restricted sites zone), it will remain in the Internet zone.

	As most users won't ever bother to add sites to other zones, we'll just configure the Internet zone. A secure Internet zone has significant benefits. A securely configured Internet zone gives us a high level of protection, because all web sites fall by default within that zone, esp. unfamiliar sites we may be visiting for the first time. Thus, we'll never be unpleasantly surprised by a web site that we're visiting for the first time. Web sites that we know and trust and which may require looser security settings can be added to the Trusted sites zone (see below for advice on using the Trusted sites zone).

	Once we select the zone we wish to configure, we can either adjust the Security level slider (to High, Medium, Medium-low, or Low), or we can select Custom Level... and configure all the privacy and security settings for each zone one-by-one. (Each of the four settings on the slider uses a pre-set combination of all the individual settings that we can custom configure ourselves.) Once we custom configure a zone, the slider for that zone will disappear:



	*Active Content & the Security Zones*

	To securely configure the Internet zone, we will focus on three main groups of settings: Active controls and plugins Java permissions Scripting These "active content" technologies can be used by web sites to add useful functionality to otherwise drab, static web pages. They can also be used to install spyware and adware on your PC, hijack your web browser, and compromise your privacy and security. For more information on the privacy and security issues involved with "active content," see THIS page. In what follows we will disable these forms of "active content" in the Internet zone to prevent them from being used by malicious web sites to compromise your privacy and security.

	*Warning: Broken Web Sites*

	Once we disable "active content" in the Internet zone, some web sites that rely on those technologies may not work properly. To allow web sites that you know and trust to function, you can those sites to the Trusted sites zone, which follows a more lenient set of security polices. See the instructions below for help on adding sites to the Trusted sites zone.

2.	Bring Up the Custom Level for the Internet Zone

	Click on the Internet zone icon to select it, and then hit the Custom Level... button.

3.	Configure ActiveX controls and plug-ins

	At the top of the Security Settings box that pops up are all of our settings for ActiveX controls and plug-ins.



	(Note that I've doctored this screenshot just a bit so that we can see all of the settings at once. You'll probably have to scroll down to get to some of the lower settings.)

	Change all settings for ActiveX controls and plug-ins to Disable. (Prompt might initially seem like a good compromise between Enable and Disable, but most users will be unable to cope with the flood of popup confirmation boxes that result.)

4.	Configure Microsoft VM (Java permissions)

	If we scroll down a bit, we encounter the settings for Java permissions (under Microsoft VM -- VM stands for Virtual Machine, in case you were wondering). Here we can select a safety level for Java.



	The most secure setting is, obviously, High safety.

	There's another method to configure Java permissions, though. Instead of choosing a preconfigured safety level, we can also select the Custom option...



	...and then hit the Java Custom Settings... button to bring up a detailed list of Java settings that we can custom configure.



	Most home users will find it simpler to select a pre-configured safety level, as we did above, though. Unless you know what these settings are, they are not worth bothering with.

5.	Configure Scripting

	Scrolling down still further, we encounter our Scripting settings.



	Change all Scripting settings to Disable.

	*Warning: Broken Web Sites*

	*Remember:* once we disable such things as Scripting or ActiveX controls and plug-ins, or set Java permissions to High safety, some web sites may not work properly. In such cases we can add those sites (assuming we trust them) to our Trusted sites zone. Once those sites are added to the Trusted sites zone (which uses a different set of security settings), they should start working again. See the last section on this page for details on how to use the Trusted sites zone.

	*Where to Go Next...*

	If you're using Internet Explorer 6.0, then your job in the Internet Options box is through. Move to the next section in order to configure Cookies on the Privacy tab.

	If you're using an earlier version of Internet Explorer, then you're not quite through, because you can also configure Cookies within the Security Settings box. (Internet Explorer 6.0 users configure cookies on the Privacy tab -- see the next section for instructions.)

	*AOL Services & Web Sites*

	Securely configuring the Internet zone (as we've done above) may cause problems for some of AOL's services and web sites. If you lock down the Internet zone using the settings described above and you find that certain aspects of AOL don't work anymore, there's a simple solution: add the aol.com domain to your Trusted sites zone. Once aol.com added to your Trusted sites zone (which uses a different set of security settings than the Internet zone we've configured here), AOL's services and web sites should start working again. See the last section on this page for details on how to add items like aol.com to the Trusted sites zone.

6.	Configure Cookies

	Cookies are small "data tags" that allow web sites to recognize us when we return to those web sites. While cookies can be useful -- say, for being recognized at a web site with which we've registered -- they can also be used by advertisers to track our movements and behavior across the Net. To protect our privacy, we need to configure Internet Explorer's cookie settings so that the browser stores only cookies that we find useful. For more information on the privacy issues involved with cookies, see THIS page. While Internet Explorer 4, Internet Explorer 5, and Internet Explorer 6 are very similar in most of their privacy and security settings, they present different options for handling cookies. Internet Explorer 5 allows you to configure cookies within the various Security zones. Internet Explorer 4, by contrast, keeps its cookie settings on the Advanced tab, not in the zones on the Security tab. Internet Explorer 6 (which we'll cover in the next section) introduces a completely new way to configure cookies: the cookie settings on the Privacy tab.
	In this step, we'll discuss cookie configuration for Internet Explorer 5 and Internet Explorer 4. If you're using Internet Explorer 6, you can skip this step and move directly to the last step in this section.

	*Internet Explorer 5.0x & 5.5x*

	For any version of Internet Explorer 5, you can configure Cookies within the Security Settings for each zone. (Note: the screenshot you see below is from Internet Explorer 5. )



	Note that "cookies stored on your computer" are permanent cookies that are saved to your hard drive for future use by web sites. By contrast, "per-session cookies" are temporary cookies that are automatically deleted once you close Internet Explorer. These are usually not a problem. (Session cookies are frequently used for the virtual "shopping carts" employed by merchandising sites like Amazon.com and CDNow.)

	If you wish to preserve some cookies for certain web sites, then you should *not* disable "stored" cookies. You will need to selectively manage and delete cookies -- see the section entitled Selectively Deleting & Managing Cookies for details.

	*Internet Explorer 4.0x*

	Internet Explorer 4 does not allow you to configure cookies by Security zone. If you're using Internet Explorer 4, you'll have to close the Internet zone Security Settings box (click Apply, then OK) and switch to the Advanced tab. There you'll find a similar looking group of cookie settings under the Security section. (Note: the screenshot you see below is from Internet Explorer 4. You won't find any cookie settings on the Advanced tab in Internet Explorer 5 or 6.)



	The cookie settings you see on the Advanced tab apply to *all* the security zones -- there's no way to configure cookies for each zone separately, unlike Internet Explorer 5.0x and 5.5. Moreover, the options we have are fairly limited (Enable, Prompt, Disable) -- there's no way to distinguish between permanent cookies and session cookies (as we can do with Internet Explorer 5) or first-party vs. third-party cookies (as we can do with Internet Explorer 6).

	If you wish to preserve some cookies for certain web sites, then you should *not* disable cookies. You will need to selectively manage and delete cookies -- see the section entitled Selectively Deleting & Managing Cookies for details. (You could select Prompt, but most users will quickly tire of barrage of prompts when surfing the web.)

	*Note: Other Versions of Internet Explorer* For Internet Explorer 6, you'll need to use the Privacy tab to set cookies, as the settings we discussed above aren't available in Internet Explorer 6 (see the next section for instructions).

7.	Close Security Settings / Internet Options Boxes

	If you're using Internet Explorer 4 or 5, click Apply and OK to close the Security Settings box, then OK again to close Internet Options. At this point you should learn how to Selectively Delete & Manage Cookies. You may also want to read about how to Add Sites to the Trusted Zone.

	If you're using Internet Explorer 6, move on to the next section to learn how to configure cookies on the Privacy tab.

Managing Cookies On the Internet Explorer 6.0 Privacy Tab

	Cookies are small "data tags" that allow web sites to recognize us when we return to those web sites. While cookies can be useful -- say, for being recognized at a web site with which we've registered -- they can also be used by advertisers to track our movements and behavior across the Net. To protect our privacy, we need to configure Internet Explorer's cookie settings so that the browser stores only cookies that we find useful. For more information on the privacy issues involved with cookies, see THIS page. Internet Explorer 6 does not allow us to configure cookies from the Security tab or the Advanced tab, as we just did for Internet Explorer 4 and 5 above. With Internet Explorer 6, we configure cookies on the Privacy tab, which is right next to the Security tab. (If you don't see a Privacy tab on the Internet Options box, then you haven't got Internet Explorer 6, and you can safely skip this section.)

	*The Privacy Tab, Cookies, & Security Zones*

	The cookies settings on the Privacy tab apply to the Internet zone only. Cookies are blocked by default in the Restricted sites zone and accepted by default in the Trusted sites zone. There is no easy way to change cookie settings for those two zones, unlike Internet Explorer 4 and Internet Explorer 5. Internet Explorer 6, however, gives us many more options for controlling cookies in the Internet zone.

1.	Switch to the Privacy Tab

	To configure cookies for Internet Explorer 6.0, switch to the Privacy tab.



	It's important to recognize that we have a range of choices to make here. The Privacy tab allows us to configure cookies in three different ways. We can:

	adjust the Settings slider bar to one of six different privacy levels (Block All, High, Medium High, Medium, Low, Accept All), or override the Settings slider bar with Advanced Privacy Settings from the Advanced... button, or override the Settings slider bar by selecting a custom XML Privacy Import file from the Import... button.
	Keep in mind that these three different methods for configuring and controlling cookies are mutually exclusive: we can only use one method at a time. We can't mix and match methods. Once we use one method to configure cookies, any changes we've made using the other methods are ignored or disabled.

	Whatever method we choose to configure cookies, we can also add specific web sites to the Web Sites - Per Site Privacy Actions list, so that cookies from those individual sites will always be blocked or allowed, no matter what our other settings are (except when the Settings slider bar is set to Block All Cookies or Accept All Cookies).

2.	Adjust the Settings Slider

	Most home users will initially find it easiest to adjust the Settings slider bar, primarily because it is presented front-and-center on the Privacy tab and because the slider appears to be a simple way to "ratchet up" one's privacy. We'll cover the Settings slider bar first, but I'm going to suggest that the Settings slider bar is *deceptively simple* and doesn't give you nearly as much privacy protection as some of the other options that are available for cookies in Internet Explorer 6.0. You can move the Settings slider bar up and down. Pay attention to the descriptions of each slider setting as you move the slider bar up and down from level to level.



	Block All Cookies is, obviously, the most restrictive setting, and it will do just what the name suggests.

	There are other settings to choose from on the slider bar, though. Here's a summary of all six settings with accompanying descriptions:

	Setting	Description
	Block All Cookies	Cookies from all Web sites will be blocked Existing cookies on your computer cannot be read by Web sites
	High	Cookies from all Web sites that do not have a compact policy (a condensed computer–readable privacy statement) will be blocked Cookies from all Web sites that use your personally identifiable information without your explicit consent will be blocked
	Medium High	Cookies from third–party Web sites that do not have a compact policy (a condensed computer–readable privacy statement) will be blocked Cookies from third–party Web sites that use your personally identifiable information without your explicit consent will be blocked Cookies from first–party Web sites that use your personally identifiable information without your implicit consent will be blocked
	Medium	Cookies from third–party Web sites that do not have a compact policy (a condensed computer–readable privacy statement) will be blocked Cookies from third–party Web sites that use your personally identifiable information without your implicit consent will be blocked Cookies from first–party Web sites that use your personally identifiable information without your implicit consent will be deleted from your computer when you close Internet Explorer
	Low	Cookies from third–party Web sites that do not have a compact policy (a condensed computer–readable privacy statement) will be blocked Cookies from third–party Web sites that use your personally identifiable information without your implicit consent will be deleted from your computer when you close Internet Explorer
	Accept All Cookies	All cookies will be saved on your computer Existing cookies on your computer can be read by the Web sites that created them
	Note: this chart is taken from the online Microsoft document "Use Security and Privacy Features in Internet Explorer 6."

The descriptions for the six slider bar settings use a few terms that you may not be familiar with. To help you make sense of those settings, a few definitions and explanations are in order:

a compact policy is a privacy policy that web sites can post and which Internet Explorer can read and analyze. A compact policy details the kinds of information that a web site collects from and about you, as well as what it intends to do with that information. Not all web sites will have compact policies (and not all compact policies provide strong privacy protections).
personally identifiable information is information that is unique to you (e.g., your name, address, SSN#, credit card, etc.). By contrast, non-personally identifiable information consists of information that cannot be uniquely tied to you (e.g., your Internet IP address, the pages you visit on a web site, the number of times you visit, etc.).
first-party vs. third-party distinguishes the web site you are currently visiting from other web sites which may place content on that first-party web site (for example, banner ads from advertisers). (For a more complete description, see the Advanced Privacy Settings step below.)
implicit vs. explicit consent distinguishes sites with "opt-out" privacy policies from those with "opt-in" privacy policies. An "opt-out" privacy policy means that the site is free to collect, use, and exchange information it gathers from and about you unless and until you tell them to stop -- that's implicit consent, because you have to "opt-out" of the web site's data collection before it will stop. Your consent is implicitly assumed.

An "opt-in" privacy policy, by contrast, means that the web site cannot collect, use, and exchange information that it gathers from and about you unless and until you give your permission for them to do so -- that's explicit consent, because you must "opt-in" to a web site's data collection before it can start. Your consent must be explicitly given.

Despite the complexity of all of these terms and concepts, most users will find it easiest to manipulate the slider bar, because it uses those six apparently simple, straightforward privacy levels (Block All, High, Medium High, Medium, Low, Accept All). Users who are serious about protecting their privacy with Internet Explorer 6.0, however would be well advised to use one of the other two methods described next.

The Problem with the Settings Slider Bar

If the Settings slider bar initially appears to be an easy way to protect one's privacy, why am I saying that there are problems with it? The answer lies with what those slider levels actually do.

It's easy to move the slider bar up to Block All Cookies, but blocking all cookies will prevent some web sites from working properly. If you've registered with a web site in order to access content or services, blocking all cookies will stop you from accessing the site because the site won't be able to recognize you as a registered user. Cookies can be useful in that way. So, for most users, Block All Cookies is not a realistic option for surfing the web. We want to accept and keep some cookies; the question becomes: how do we accept only useful cookies?

The next highest setting, High, appears to be a strong setting, but with that setting Internet Explorer 6.0 will (much to our surprise) still accept cookies from most third-party advertisers and marketers. Here's why.

The description for the High setting specifies that:

Cookies from all Web sites that do not have a compact policy (a condensed
computer–readable privacy statement) will be blocked
Cookies from all Web sites that use your personally identifiable information
without your explicit consent will be blocked

Third-party advertisers and marketers, such as Doubleclick, have gotten wise to Internet Explorer 6.0, however. Not only will those advertisers and marketers have compact policies (one of the requirements for the High slider level), but those compact policies will specify that no personally identifiable information is used by the third-party site (the other requirement for the High slider level).

The result: Internet Explorer 6.0 accepts cookies from Doubleclick and other major third-party advertisers! Doubleclick, in fact, clearly notes on its web site that Internet Explorer 6.0 will accept its cookies. Even though Doubleclick says it doesn't use "personally identifiable information," that doesn't mean that they're not tracking your activities on the Internet. It just means that they think you shouldn't care.

The only way to stop those third-party advertisers' cookies is to choose the highest setting, Block All Cookies, but, as we noted, that's not really an acceptable choice for most people. And keep in mind that cookies from third-party advertisers and marketers are the very kinds of cookies that most people want to stop. Those are the cookies that allow Doubleclick and others to track your activities across thousands of web sites.

So, what intially appeared to be an easy, effective way to protect one's privacy turns out to be much less effective than we thought, primarily because we don't have real choices with the Settings slider bar. Block All Cookies isn't a viable option because we want to accept some cookies, not block them all. High, the very next step down, lets us accept useful cookies, but it also forces us to accept third-party advertising cookies that we want to block. (And the settings below High only get worse.) We want cookie settings that allow us to accept useful cookies but block most, if not all, cookies from advertisers and marketers, and the slider bar simply won't let us do that.

Anyone who is serious about privacy on the Internet ought to reject the Settings slider bar and use one of the other methods instead. Indeed, the Advanced Privacy Settings, which we'll cover next, is just as easy to use (once you learn a few new terms) and it lets us block all those third-party advertising cookies without blocking truly useful cookies from first-party web sites we've registered with.

Note: if you'd like a more advanced, involved discussion of the problems with the Internet Explorer 6.0 slider bar and the Privacy Settings more generally, see THIS page. Most home users, however, will find that advanced discussion overwhelming, though. And if you'd like to see just how little privacy the settings slider affords you, see THIS page.

or Configure the Advanced Privacy Settings

If we don't want to use the Settings slider bar, we can hit the Advanced... button to bring up the Advanced Privacy Settings box.

To use this box, check the "Override automatic cookie handling" box (which turns the Settings slider bar off on the Privacy tab). Then configure First-party Cookies and Third-party Cookies:

Advanced Privacy Settings - Override and Block

First-party cookies are cookies that originate from the web site that you happen to be visiting. Third-party cookies are cookies that originate from outside the web site you're visiting. That's confusing, I know. Let me give you an example of how first-party and third-party cookies work.

Let's say I visit MSNBC.com. MSNBC.com might try to place its own cookie on my hard drive. That's a first-party cookie. The cookie originates from MSNBC.com and I happen to be visiting MSNBC.com.

Now let's say that MSNBC.com also happens to use banners ads from Doubleclick.net. The banner ads are served up to my browser from Doubleclick's servers, which also attempt to place one of Doubleclick's cookies on my hard drive. Remember: I'm visiting MSNBC.com, but Doubleclick has ads on that page and tries to place one of its cookies on my hard drive. That makes Doubleclick's cookie a third-party cookie. It originates from a site other than the one I'm directly visiting.

Third-party cookies are actually quite common. Third-party cookies are typically used by big advertisers and marketers like Doubleclick, who place banner ads and pop-ups on web sites (much like ad agencies place advertisements in newspapers and magazines, or buy 30 second spots on television for commercials). Third-party cookies are usually OK to always block.

Session cookies are temporary cookies that are automatically deleted once you close Internet Explorer. (Session cookies are frequently used for the virtual "shopping carts" employed by merchandising sites like Amazon.com and CDNow.) All other cookies are permanent cookies that are saved to your hard drive for future use by the web sites you visit. Session cookies are fairly innocuous because they aren't preserved across browsing sessions (once you close Internet Explorer, they're gone).

Keep in mind that if we use the Advanced Privacy Settings on this page, those settings override the Settings slider bar that we looked at above.

Do you see now why I said that most home users will find it easiest simply to adjust the Settings slider bar on the Privacy tab? Even though the Settings slider bar might initially appear to be easier to use, however, I would suggest that the Advanced Privacy Settings are not only just as easy (once you learn the distinction between first-party and third-party cookies), but are in fact a more effective way to protect your privacy in Internet Explorer 6.0. With the Advanced Privacy Settings, we can block cookies from major third-party advertisers and marketers like Doubleclick, while still accepting first-party cookies from web sites we've regsitered with.

or Import an XML Privacy Settings File

One final method we can use to configure cookies within Internet Explorer 6.0 is a special XML Privacy Import file. An XML Privacy Import file contains pre-configured settings that Internet Explorer 6.0 can use to configure cookies in the Internet and Trusted sites zones, not just the Internet zone.

To import an XML Privacy Import file, hit the Import... button on the Privacy tab, then navigate to the XML file that you wish to import, and double-click on it. IE 6.0 will confirm that you actually want to import that XML file into IE 6.0.

As with the Advanced Privacy Settings that we looked at previously, the settings contained in these XML Privacy Import files override the Settings slider bar.

As you've probably suspected, XML Privacy Import files are for advanced users only. Most home users will never even think about using custom XML Privacy Import files -- they're simply too involved and complicated.

Moreover, Internet Explorer 6.0 doesn't provide you with any XML files -- you have to build them yourself or acquire them from someone who has already built them. And to build them, you'll need special instructions from Microsoft's web site.

The XML Privacy Import files you see in the screenshot above come from a special set of pre-built files that you can download. If you're interested in using those XML files yourself, you can download the set of XML files (IE6 Custom) from this page:

http://www.spywarewarrior.com/uiuc/resource5.htm

...and import them into Internet Explorer 6.0, as we described above. That download package (IE6 Custom) gives you a wide range of XML files to choose from, so read the accompanying documentation carefully.

Add Web Sites to the Per Site Privacy Actions

Whatever method we choose to use in order to configure cookies in Internet Explorer 6.0, we can override those settings on a site-by-site basis through the Per Site Privacy Actions box (unless the Settings slider bar is set to Block All Cookies or Accept All Cookies).

Hit the Edit... button under Web Sites on the Privacy tab.

Now we can specify sites that we want Internet Explorer to always block or always allow, no matter what our other cookie settings happen to be (except when the Settings slider bar is set to Block All Cookies or Accept All Cookies). These Per Site Privacy Action settings are especially useful for allowing cookies from sites that we use often and that require cookies (for example, web-based email services like Hotmail or Yahoo).

Close Security Settings / Internet Options Boxes

Click OK to close the Security Settings box, then OK again to close Internet Options.

Warning: Broken Web Sites

Remember: if we choose overly restrictive cookie settings on the Privacy tab, then some sites may not let us in or may force us to log in manually. If you wish to preserve cookies on an individual site-by-site basis, you can either use the Per Site settings described above, or you can allow cookies liberally and then selectively manage and delete them, as described in the next section.

At this point you may want to read about how to Selectively Delete & Manage Cookies as well as how to Add Sites to the Trusted Zone.

Selectively Deleting & Managing Cookies

Sometimes we may want to configure Internet Explorer to accept cookies (as we learned how to do in the previous two sections), but then delete some cookies that we pick up from web sites so that we keep only a select few cookies. If we wish to manage and delete cookies selectively, we can do so through Windows Explorer.

(Note that in the first section we saw that Internet Explorer 6.0 allows us to delete cookies from the General tab. That Delete Cookies button on the General tab deletes all cookies at once. What we'll learn to do below, however, is to delete cookies selectively so that we can keep some cookies that we find useful instead of deleting all of them.)

Please note that we're going to take a short detour through the Cookies folder, so that you understand how the Cookies folder works. We'll won't actually delete cookies directly in the Cookies folder, though; we'll delete them from our Temporary Internet Files folder instead.

Open Windows Explorer

Open Windows Explorer on the Start menu.

Start >> Programs >> Accessories >> Windows Explorer

Find the Cookies Folder

If you're on Windows 95, 98, 98SE, or Me, you can find your Cookies folder in the Windows folder (i.e., \Windows\Cookies).

If you're on Windows NT 4.0, open the Winnt folder, then find the Profiles folder. In the Profiles folder, find your own individual user folder. In that folder, you'll find your Cookies folder (i.e., \Winnt\Profiles\<user>\Cookies).

If you're on Windows 2000 or XP, find the Documents and Settings folder. Then find your own individual user folder under Documents and Settings. In your own individual user folder, you'll see your Cookies folder (i.e., \Documents and Settings\<user>\Cookies).

Once you open the Cookies folder, you should see a number of cookies.

$Viewing Cookies in the \Cookies folder$

Internet Explorer stores cookies on your hard drive as individual text files (unlike Netscape, which stores all of its cookies in one text file). You can doubleclick on individual cookies and look at them. There's not much to see, though...

Notice the unique id number -- that's essentially the "name tag" given you by the web site that placed the cookie on your hard drive. The web site can use that unique id number to recognize you when you return to the web site. That unique id is what's at the heart of a cookie.

Even though we can view our cookies in the Cookies folder, we shouldn't delete them directly from here. Internet Explorer mirrors our cookies in the Temporary Internet Files folder, which we'll move on to next. If we delete cookies directly from the Cookies folder, Internet Explorer will still display them in the Temporary Internet Files folder.

To avoid this problem, we'll delete cookies from Temporary Internet Files, and Internet Explorer will remove the corresponding text files from the Cookies folder for us. In effect, we'll keep the Temporary Internet Files folder and the Cookies folder "in synch."

Find the Temporary Internet Files folder

Next, find the Temporary Internet Files folder. The location of this folder will vary depending on what version of Windows you are running:

Windows 95, 98, 98SE, or Me: you can find your Temporary Internet Files folder in the
Windows folder, just like the Cookies folder (i.e., \Windows\Temporary Internet Files).
Windows NT 4.0: your Temporary Internet Files folder will be in your own individual
user folder, just like the Cookies folder (i.e., \Winnt\Profiles\<user>\Temporary
Internet Files).
Windows 2000 or XP: your Temporary Internet Files folder will be in your own individual
user folder under Local Settings (i.e., \Documents and Settings\<user>\Local Settings\
Temporary Internet Files).

$Viewing Cookies from \Temporary Internet Files$

Assuming you've deleted Temporary Internet Files (your browser cache) as described at the beginning of this page, the only things you should see in Temporary Internet Files are cookies. (If you see a lot of files that don't appear to be cookies, delete your Temporary Internet files as we described above, then return to the Temporary Internet Files folder.)

Remember: what you see here are mirrored copies of your cookies, which are actually stored as text files in the Cookies folder that we looked at just above. (And, no, don't ask me why Microsoft programmed Internet Explorer to behave like this!)

Selectively Delete Cookies from Temporary Internet Files

We can selectively delete individual cookies by highlighting the ones we want to get rid of...

...and hitting Delete. Internet Explorer will prompt us to confirm that we actually want to delete the cookies we selected.

Warning: Are you sure you want to delete the selected Cookie(s)?

And that's all there is to it!

Note that in the screenshots you see, we elected to save one cookie from Wired.com. As we've noted several times already, the advantage to deleting cookies selectively is that we can save valuable cookies for web sites that require them and that we frequently visit.

Shortcut to Temporary Internet Files

Some users might not like dealing with Windows Explorer. For those users, there is a quicker way to get to the cookies they want to delete.

From within Internet Explorer, open the Internet Options box...

...and hit the Settings... button under Temporary Internet files.

In the Settings box that pops up, hit the View Files... button.

Do these look familiar? They should. They're the same cookies that we viewed earlier in Windows Explorer.

As before, if you see more files than just cookies, delete your Temporary Internet files as described earlier, and then return to this box.

From here we can select and delete cookies individually, just like we did earlier in Windows Explorer.

Other Important Internet Explorer Settings

Internet Explorer does have a few other settings that are important to look at when considering how to protect one's privacy and security on the Internet. You won't find these settings in any version of Netscape or Opera -- they're exclusive to Internet Explorer.

Right in the middle of the Security Settings for the Internet zone (which we looked at above) is a group of settings titled Miscellaneous. In some ways these settings are nearly as important as the settings for ActiveX controls, Java applets, and scripting, all of which can let web sites do obnoxious and potentially things to your computer.

To protect ourselves while surfing the Internet, we ought to consider disabling some of the more dangerous settings in the Miscellaneous group.

The most important settings to disable are:

Access data sources across domains
Allow META REFRESH
Display mixed content
Installation of desktop items
Launching programs in an IFRAME
Navigate sub-frames across different domains
Userdata persistence

All of these settings should be disabled. Note that Display mixed content setting and Allow META REFRESH are found on Internet Explorer 6.0 only, not earlier versions of Internet Explorer.

Finally, at the bottom of the Security Settings is a category titled User Authentication (not pictured here). That setting should be set to Prompt for username and password.

As with so many of the other settings we've looked at, once we disable these Miscellaneous settings, some web sites may not work correctly. If we trust the web site we're visiting, we can add the site to the Trusted sites zone. Once added to the Trusted sites zone, the web site should function correctly.

See the last section for instructions how to add web sites to the Trusted sites zone.

Summary of Internet Zone Settings

Before we move on and discuss how to use the Trusted sites zone, let's briefly summarize the settings we've configured in the Internet zone.

ActiveX controls & plug-ins	*Setting*
Download signed ActiveX controls Download unsigned ActiveX controls Run ActiveX controls and plug-ins Initialize and run ActiveX controls and plug-ins not marked as safe Script ActiveX controls marked as safe for scripting	*Disable* *All*

Microsoft VM	*Setting*
Java permissions	High Safety

Scripting	*Setting*
Active scripting Scripting of Java programs Allow paste operations via script	*Disable* *All*

Miscellaneous	*Setting*
Access data sources across domains Allow META REFRESH Display Mixed Content Installation of desktop items Launching programs and files in an IFRAME Navigate sub-frames across different domains Userdata persistence	*Disable* *All*

User Authentication	*Setting*
Logon	Prompt for user name and password

Note that the table above doesn't summarize cookie settings.

Now that we've disabled many settings that some web sites may depend on, we should learn how to use the Trusted sites zone for web sites that we trust so that those sites aren't broken when we visit them.

Adding Sites to the Trusted Sites Zone

As noted earlier, if we configure Internet Explorer's cookie settings too restrictively, or if we disable Java, Scripting, and ActiveX in in the Internet zone, or if we disable many of the Miscellaneous settings, some web sites may not work properly or could refuse to let us in. We might be tempted to relax our cookie settings and re-enable Java, Scripting, and ActiveX, but there's a better solution: add individual web sites to our Trusted sites zone.

Our Trusted sites zone uses different Security Settings than our Internet zone. By default, Cookies, ActiveX, Java, and Scripting are Enabled or set to Low safety in the Trusted sites zone. And as with the Internet zone, we can customize the Security Settings even further.

The Trusted sites zone allows us to permit individual web sites that depend on things like Cookies, Scripting, and so forth to use them, without forcing us to relax our default Internet zone settings. If we encounter a web site that requires Scripting or Cookies (or ActiveX or Java), we can add the site to our Trusted sites zone, and refresh the web page, which should then work fine.

Here's an example: let's say we want UIUC's WebMail service to work properly. If we disable Scripting and Cookies as we did above, WebMail won't work. To get WebMail to work, we'll add the uiuc.edu domain to our Trusted sites zone, thus letting webmail.uiuc.edu use cookies and Scripting.

Here's how to do it:

Go to the Internet Options Security tab & Select the Trusted Sites Zone

Go the Security tab in Internet Options. Make sure the Trusted sites zone is selected.

Internet Options: Security tab - Trusted sites zone

Open the Trusted Sites Box

Click the Sites... button to open the Trusted Sites box.

Add the uiuc.edu domain to the Trusted Sites

Type the following into the top box:

*.uiuc.edu

We're adding the entire uiuc.edu domain to our Trusted sites zone with a wild card ( * ) so that all web sites at uiuc.edu will fall within our Trusted sites zone. (If we added only webmail.uiuc.edu, other sites at uiuc.edu would still fall in the Internet zone.)

Uncheck the box labeled "Require server verification (https:) for all sites in this zone." (If you don't uncheck the box, Internet Explorer won't let you add uiuc.edu to the list of Trusted Sites, because this new entry doesn't start with https:.)

Click Add to put the uiuc.edu domain into the list of Trusted Sites.

Note that we could have specified webmail.uiuc.edu, but that would have placed only webmail.uiuc.edu into the Trusted zone, not all web sites from uiuc.edu.

Close the Trusted Sites Box & the Internet Options Box

Click OK to close the Trusted Sites box. Click OK again to close Internet Options.

Refresh the Web Page

If you're currently at webmail.uiuc.edu, hit the Refresh button to reload the web site. WebMail should work now. If it doesn't, try deleting Temporary Internet files (as described at the start of this page), closing and re-opening Internet Explorer, and then returning to the WebMail page.

You can always tell what zone a site falls into by looking at the bottom right-hand corner of the Internet Explorer window:

Internet zone:

Trusted sites zone:

Restricted sites zone:

A Handy Security Zone Utility from Microsoft

If you start to make extensive use of the Trusted sites and Restricted sites zones, you might want to download IE Power Tweaks Web Accessories, a special set of utilities from Microsoft, from here:

http://www.microsoft.com/windows/ie/previous/webaccess/default.mspx

This set of utilities will add two new menu options to the Tools menu in Internet Explorer:

Add to Trusted Zone
Add to Restricted Zone

This makes adding sites that you want to the Trusted sites zone a cinch. Once we're at a web site that we wish to add to the Trusted sites zone, we can just use the Add to Trusted Zone menu option:

Although the IE Power Tweaks Web Accessories is billed as a tool for Internet Explorer 5, it will work just fine on Internet Explorer 6 as well.

What sites should be added to the Trusted sites zone?

What sites you put in your Trusted sites zone involve choices that only you can make. I can offer a few criteria that I use when deciding to admit a site or domain to my Trusted sites zone:

The site/domain must have content that I consider extremely valuable or important.
That content must be accessible only with things like Scripting, cookies, ActiveX controls, Java, etc. enabled (and which are permitted only in my Trusted sites zone). In other words, what I want from the site must require the security settings of my Trusted sites zone in order for it to be accessed.
The site/domain must be well known and reputable. Generally speaking, small outfits/sites with which I'm not familiar or comfortable don't ever make it into my Trusted sites zone.
The site/domain musn't blitz me with cookies, obnoxious popups, Flash animations, etc. I can handle a cookie or two if the content I receive in exchange is quality and is presented in a usable manner. If the site wants to take liberties with every browser technology known to God and man, forget it.

Examples:

The nytimes.com domain is in my Trusted sites zone so that I can read The New York Times free every day (fantastic deal, I think). The free registration and cookie required to access the content at The New York Times web site are a modest "price" to pay for daily access to one of the world's great newspapers.
The uiuc.edu domain is also in my Trusted sites zone because there are numerous pages and services at the University of Illinois web site -- a site I use every day -- that require cookies, Scripting, and Java to be enabled. More importantly, however, the University of Illinois web site is completely trustworthy in my judgment -- it will never it install spyware or adware on my PC, nor will it litter my desktop with obnoxious Flash animation advertising. Thus, I am happy to allow cookies, Java, and Scripting to be used when visiting the University's web site because I am confident my trust won't be betrayed.
The msnbc.com domain, by contrast, is not my Trusted sites zone (and will never be), because I can get what (little) I want from that site without having to accept the scads of cookies, popups, and who knows what all else that they want to load me up with.

As I said, these are personal decisions based on your own unique judgments and assessments.

Conclusion

I hope you've found this short tour of Internet Explorer's privacy and security features interesting and helpful. If you need more assistance or still have questions, check the following web pages for links to information about web browser privacy and security:

If you're using AOL, you may also want to get an overview of the AOL privacy and security preferences that are specific to AOL services.

AOL Privacy & Security Preferences

Home [frames] Home [no frames]

Section	Topics Covered
First Things First: What Version Do You Have?	How to find your Internet Explorer version
Clearing Junk from the General Tab	How to clear Temporary Internet Files & URL History
Securing the Internet Zone	How to configure ActiveX controls, Java applets, scripting, & cookies safely
Managing Cookies On the Internet Explorer 6.0 Privacy Tab	How to configure cookies in Internet Explorer 6.0
Selectively Deleting & Managing Cookies	How to selectively delete & manage cookies
Other Important Internet Explorer Settings	How to configure Miscellaneous settings
Summary of Internet Zone Settings	Review the Internet zone settings
Adding Sites to the Trusted Zone	How to use the Trusted sites security zone