Internet Explorer Privacy & Security Settings |
This page provides a guided tour of most of the major privacy and security settings within Internet Explorer. We'll cover the following aspects of privacy and security in Internet Explorer:
Section Topics Covered First Things First: What Version Do You Have? How to find your Internet Explorer version Clearing Junk from the General Tab How to clear Temporary Internet Files & URL History Securing the Internet Zone How to configure ActiveX controls, Java applets, scripting, & cookies safely Managing Cookies On the Internet
Explorer 6.0 Privacy TabHow to configure cookies in Internet Explorer 6.0 Selectively Deleting & Managing Cookies How to selectively delete & manage cookies Other Important Internet Explorer Settings How to configure Miscellaneous settings Summary of Internet Zone Settings Review the Internet zone settings Adding Sites to the Trusted Zone How to use the Trusted sites security zone If you need more information about the key privacy and security issues that we'll cover on this page (the browser cache, the URL history, active content, and cookies), then see THIS page, which provides a short introduction to these several topics.
For a Summary of the Settings...
If you're already familiar with Internet Explorer's Security and Privacy settings and how to configure them, you may be interested in jumping ahead to a quick summary of the settings recommended on this page.
If you need a little help navigating the Internet Options box and making sense of all the settings you'll find there, however, please do continue reading.
Browser Versions Covered
The screenshots you'll see are from Internet Explorer 5.01 w/SP2 and Internet Explorer 6.0, except where noted. With a few exceptions (most notably the Internet Explorer 6.0 Privacy tab), these screenshots are just what you'll find in the following versions of Internet Explorer:
Internet Explorer 4.0x
Internet Explorer 5.0x
Internet Explorer 5.5x
Internet Explorer 6.0xTo find out what version of Internet Explorer you have, see the first section, First Things First: What Version Do You Have?
Windows XP SP2
In August 2004 Microsoft released Service Pack 2 for Windows XP. This upgrade package for Windows XP adds some significant new privacy and security features to the version of Internet Explorer found in Windows XP. At this time, we do not cover those new privacy and security features on this page.
For a summary of the new privacy and security features added to Windows XP, see the following documents from Microsoft:
- Windows XP Service Pack 2 - Security Information for Developers
- Changes to Functionality in Microsoft Windows XP Service Pack 2
- Windows XP Service Pack 2: A Developer's View
AOL Web Browser
If you're using the AOL web browser, you are actually using Internet Explorer, even if you never realized it. The AOL web browser merely puts a different "face" (a different "interface" or "front end") on Internet Explorer. Consequently, the AOL web browser does use the same Internet Explorer privacy and security settings that we discuss in this document.
We'll show you how to find the version of Internet Explorer that your AOL web browser is relying upon. We'll also show you how to access privacy and security settings from within AOL. Be sure to read the note on AOL Services & Web Sites below for information on taking one additional step to ensure that AOL remains completely functional on your computer.
Finally, the AOL web browser does allow you to configure other preferences related to your privacy and security, however, these preferences are specific to AOL itself (i.e., they're not part of the Internet Explorer browser that AOL relies upon). You can get a brief overview of these other AOL preferences on THIS page.
All the screenshots you'll see for AOL are from AOL 7.0. Other versions of AOL should present you with very similar options and controls.
Internet Zone Settings
Most of the Internet Explorer settings that we'll be configuring apply to the Internet zone. The Internet zone is the default zone that all web sites fall into unless the user explicitly adds them to another zone (e.g., the Trusted sites zone or the Restricted sites zone). It's important to lock down the Internet zone as tightly as possible because a secure Internet zone is, in many ways, our first line of defense against potentially dangerous web sites. With a secure Internet zone, you'll never be unpleasantly surprised by a web site you're visiting for the first time. Locking down the Internet zone means that you will:
- be protected from rogue spyware installations (e.g., Gator, BonziBuddy,
WebHancer, Lop.com, and the like);
- put an end to annoying, useless pop-ups at most web sites by default;
- be protected against security holes in active content that might let
hackers and crackers compromise your system and your personal
data;
- put all web sites on a "short leash" until you trust them enough to add
them to your Trusted sites zone.We'll also be disabling cookies for most web sites by default. Doing so ensures that you won't be accepting cookies from direct marketing outfits who seek to monitor and track your travels around the Net.
Balancing Privacy, Security, & Convenience
While a securely configured Internet zone gives us a good deal of protection against the more dangerous elements on the World Wide Web, that security and privacy comes at a price. A tightly configured Internet zone will break some web sites by default. That problem is easily corrected, though. If you trust a web site you're visiting to respect your privacy and security, you can add that web site to the Trusted sites zone. (See the last section for instructions of using the Trusted sites zone.) The Trusted sites zone uses a less restrictive set of privacy and security policies than the Internet zone. Once added to the Trusted sites zone, the web site should start functioning properly.
Adding web sites to the Trusted sites zone is easy, but it is an extra step, a task you may not have had to do before. That's the nature of privacy and security -- it comes at a price. Locking the door to your house or apartment gives you security and peace of mind, but it also means that you have to carry around a key (which can be lost) and that you have to spend a few more seconds getting back inside. That's a tradeoff, but it's a good one that most of us are willing to make. That same kind of tradeoff is at work on the Internet. If you want to protect your privacy and security while surfing the web, you'll have to take precautions and adjust to the tradeoffs that result.
Cookie Settings, Deletion, & Management
One note about configuring cookies in Internet Explorer: Internet Explorer 4 and 5 use different settings to configure cookies than does Internet Explorer 6. This is the biggest difference between Internet Explorer 4 and 5 on the one hand, and Internet Explorer 6 on the other.
- We'll cover how to configure and manage cookies for Internet Explorer 4 and 5
in step 6 of the section titled Configuring the Internet Zone. The settings you see
in that step 6 do not appear in Internet Explorer 6, only Internet Explorer 4 and 5.
- We'll cover Internet Explorer 6's cookie settings in the section titled Managing
Cookies On the Internet Explorer 6 Privacy Tab.Please also note that in addition to configuring cookies (i.e., setting the browser to accept or reject cookies), we'll also explain how to selectively delete and manage cookies.
These two tasks are related (in that they both concern cookies), but they are ultimately different tasks. Some users will prefer to simply configure Internet Explorer to reject cookies. Other users will want to let Internet Explorer accept all cookies and then manage cookies selectively themselves, deciding which cookies to keep and which cookies to delete. We'll cover both topics.
First Things First: What Version Do You Have? | |
Before we get started, let's figure out what version of Internet Explorer you're running. You'll need to know this information for some of the steps we go through later. | |
To find your version of Internet Explorer, click Help >> About Internet Explorer on the Internet Explorer menu bar... | |
![]() |
|
A small box should open up with version information. | |
![]() |
|
|
|
Click the OK button to close this box when you have the information you need. | |
AOL Web Browser | |
The AOL web browser is actually just a fancy front-end to Internet Explorer. Although you may not have realized it, when you're surfing the web with AOL's web browser, you're actually using Internet Explorer underneath. Moreover, the AOL web browser relies upon the same privacy and security settings that we'll discuss in this document. | |
Different versions of AOL install different versions of Internet Explorer. To find out what version of Internet Explorer is installed on your system, you'll have to locate and open Internet Explorer itself, instead of just the AOL web browser. Look on your desktop or your Start menu for an icon that resembles the following: | |
![]() |
|
Once you find such an icon, double-click on it to open Internet Explorer. With Internet Explorer open, you can locate the version information that we describe above. | |
You can also locate version information for Internet Explorer from within the AOL web browser itself. Use the AOL Keyword BROWSER. You'll receive a small box with version information for Internet Explorer: | |
![]() |
|
The Current Status: line lists the version of Internet Explorer that the AOL web browser is using (Internet Explorer 5.5 with SP2, in this case). | |
By the way, if you're an AOL subscriber, you're not restricted to using the AOL web browser for your web surfing. After you've established a connection to AOL, you can minimize the AOL program and open Internet Explorer as we did just above and surf the Internet as you normally would. To access AOL's special areas and content (including your AOL email account), you'll have to use the AOL program that you normally do. | |
In the next section, we'll describe how to access the privacy and security settings from within the AOL browser. | |
Clearing Junk from the General Tab | |
First, we'll clear some routine
junk that accumulates every time you surf the Web with Internet
Explorer.
Many users find it helpful to clear this junk every time they finish surfing the web. It only takes a few seconds, and it helps keep your browser and PC free of junk that can degrade system performance and compromise your privacy. For more information on the privacy issues involved with this junk -- which accumulates in the URL History and Temporary Internet Files -- see THIS page. |
|
1. | Open the Internet Options Box |
All of Internet Explorer's privacy and security settings can be accessed from the Internet Options box. To open Internet Options, select Tools >> Internet Options... on the menu bar. (If you're using any version of Internet Explorer 4, select View >> Internet Options...) | |
![]() |
|
The Internet Options box will open. (If you're not an AOL user, you can move ahead to the next step.) | |
AOL Internet Properties | |
The AOL web browser is actually just a fancy
front-end to Internet Explorer. Although you may not have realized it,
when you're surfing the web with AOL's web browser, the AOL browser is actually
using Internet Explorer underneath. AOL's embedded Internet Explorer web
browser does rely upon the privacy and security settings from Internet
Explorer. Not only can you clear the browser cache (Temporary Internet
Files) and URL History, but AOL's web browser will respect the Internet
zone Security settings that we'll discuss in the next
section. From within the AOL web browser you can access the same Internet Options box that you find in standard versions of Internet Explorer. In AOL, go to Settings >> Preferences. |
|
![]() |
|
On the Preferences box that pops up, you'll see a link to Internet Properties (WWW). Click on that link. | |
![]() |
|
A dialog box titled AOL Internet Properties will open. | |
![]() |
|
This is essentially the same Internet Options box that we discuss in the rest of this document. From this box you can access all the privacy and security settings that we'll cover in this document, with the possible exception of the Internet Explorer 6.0 Privacy settings, depending on what version of Internet Explorer is installed on your system. To find out what version of Internet Explorer your AOL web browser is relying upon, see the first section of this document. | |
2. | Delete Temporary Internet Files & History |
The Internet Options box opens on the General tab. On this tab we can delete Temporary Internet files as well as the URL History (which automatically clears the typed URL dropdown list as well). | |
![]() |
|
Note that we can also set this History to be kept in number of days. Many users set this number to 0, as in the screenshot above, to prevent the History being saved across browsing sessions. | |
3. | Delete Cookies (Internet Explorer 6.0 only) |
If you're running Internet Explorer 6.0, you will see one additional button that is not present in earlier versions of Internet Explorer: a Delete Cookies... button. This button will clear all cookies from Internet Explorer 6.0. | |
![]() |
|
Remember: this Delete Cookies button appears only in Internet Explorer 6.0, not previous versions of Internet Explorer. If you're running an earlier version of Internet Explorer and want to delete cookies, then you'll have to delete cookies from the Temporary Internet Files directory (see the fifth section on this page below for instructions). | |
Delete All Cookies? | |
Keep in mind that if you delete all cookies, some web
sites, esp. those with which you have registered, may not work properly
or may fail to recognize you when you return. You might want to keep
cookies for those kinds of web sites.
If you do want to keep any cookies, then you'll have to use some other strategy to manage cookies. Instead of using this Delete Cookies button, you can:
|
|
Securing the Internet Zone | |
Next, we'll switch to the Security tab so that we can securely configure such things
as ActiveX, Java, and Scripting. We'll also configure
Cookies, but only in pre-IE 6.0
versions of Internet Explorer (Internet Explorer 6.0 uses
the Privacy tab to configure
cookies, which we'll discuss later
on this page).
AOL Web Browser Remember: if you're using the AOL web browser, your web browser relies on Internet Explorer and will respect the Security settings we describe below. To learn how to access these settings within AOL's web browser, see the previous section. Once you securely configure the Security settings as we describe below, you may need to take one additional step to ensure that all of AOL's services and web sites remain functional on your computer. See the note on AOL Services & Web Sites below for more information. Finally, the AOL web browser does allow you to configure other preferences related to your privacy and security, however, these preferences are specific to AOL itself (i.e., they're not part of the Internet Explorer browser that AOL relies upon). You can get a brief overview of these other AOL preferences on THIS page. |
|
1. | Switch to the Security Tab |
Click on the Security tab so that we can access Internet Explorer's security zones. | |
![]() |
|
The Security tab allows us to select the zone we wish to configure and then configure it. | |
Working with Security Zones | |
Internet Explorer classifies web sites by Security zone: Internet, Local intranet, Trusted sites, Restricted sites. Each zone has its own set of security settings, allowing users to force web sites to follow different security policies, depending on the level of trust for those web sites. By default, all web sites fall into the Internet zone unless they're added by the user to one of the other zones. When we visit a web site for the first time, for example, it will fall within the Internet zone. If we don't add it to another zone (e.g., the Trusted sites or Restricted sites zone), it will remain in the Internet zone. | |
As most users won't ever bother to add sites to other zones, we'll just configure the Internet zone. A secure Internet zone has significant benefits. A securely configured Internet zone gives us a high level of protection, because all web sites fall by default within that zone, esp. unfamiliar sites we may be visiting for the first time. Thus, we'll never be unpleasantly surprised by a web site that we're visiting for the first time. Web sites that we know and trust and which may require looser security settings can be added to the Trusted sites zone (see below for advice on using the Trusted sites zone). | |
Once we select the zone we wish to configure, we can either adjust the Security level slider (to High, Medium, Medium-low, or Low), or we can select Custom Level... and configure all the privacy and security settings for each zone one-by-one. (Each of the four settings on the slider uses a pre-set combination of all the individual settings that we can custom configure ourselves.) Once we custom configure a zone, the slider for that zone will disappear: | |
![]() |
|
Active Content & the Security Zones | |
To securely configure the Internet zone, we will
focus on three main groups of settings:
These "active content" technologies can be used by web sites to add useful functionality to otherwise drab, static web pages. They can also be used to install spyware and adware on your PC, hijack your web browser, and compromise your privacy and security. For more information on the privacy and security issues involved with "active content," see THIS page. In what follows we will disable these forms of "active content" in the Internet zone to prevent them from being used by malicious web sites to compromise your privacy and security. |
|
Warning: Broken Web Sites | |
Once we disable "active content" in the Internet zone, some web sites that rely on those technologies may not work properly. To allow web sites that you know and trust to function, you can those sites to the Trusted sites zone, which follows a more lenient set of security polices. See the instructions below for help on adding sites to the Trusted sites zone. | |
2. | Bring Up the Custom Level for the Internet Zone |
Click on the Internet zone icon to select it, and then hit the Custom Level... button. | |
3. | Configure ActiveX controls and plug-ins |
At the top of the Security Settings box that pops up are all of our settings for ActiveX controls and plug-ins. | |
![]() |
|
(Note that I've doctored this screenshot just a bit so that we can see all of the settings at once. You'll probably have to scroll down to get to some of the lower settings.) | |
Change all settings for ActiveX controls and plug-ins to Disable. (Prompt might initially seem like a good compromise between Enable and Disable, but most users will be unable to cope with the flood of popup confirmation boxes that result.) | |
4. | Configure Microsoft VM (Java permissions) |
If we scroll down a bit, we encounter the
settings for Java permissions (under Microsoft VM -- VM
stands for Virtual Machine, in case you were wondering).
Here we can select a safety level for Java. |
|
![]() |
|
The most secure setting is, obviously, High safety. | |
There's another method to configure Java permissions, though. Instead of choosing a preconfigured safety level, we can also select the Custom option... | |
![]() |
|
...and then hit the Java Custom Settings... button to bring up a detailed list of Java settings that we can custom configure. | |
![]() |
|
Most home users will find it simpler to select a pre-configured safety level, as we did above, though. Unless you know what these settings are, they are not worth bothering with. | |
5. | Configure Scripting |
Scrolling down still further, we encounter our Scripting settings. | |
![]() |
|
Change all Scripting settings to Disable. | |
Warning: Broken Web Sites | |
Remember: once we disable such things as Scripting or ActiveX controls and plug-ins, or set Java permissions to High safety, some web sites may not work properly. In such cases we can add those sites (assuming we trust them) to our Trusted sites zone. Once those sites are added to the Trusted sites zone (which uses a different set of security settings), they should start working again. See the last section on this page for details on how to use the Trusted sites zone. | |
Where to Go Next... | |
If you're using Internet Explorer 6.0, then your job in the Internet Options box is through. Move to the next section in order to configure Cookies on the Privacy tab. | |
If you're using an earlier version of Internet Explorer, then you're not quite through, because you can also configure Cookies within the Security Settings box. (Internet Explorer 6.0 users configure cookies on the Privacy tab -- see the next section for instructions.) | |
AOL Services & Web Sites | |
Securely configuring the Internet zone (as we've done
above) may cause problems for some of AOL's services and web
sites. If you lock down the Internet zone using the settings
described above and you find that certain aspects of AOL don't work
anymore, there's a simple solution: add the aol.com domain to
your Trusted sites zone.
Once aol.com added to your Trusted sites zone (which uses a different set of security settings than the Internet zone we've configured here), AOL's services and web sites should start working again. See the last section on this page for details on how to add items like aol.com to the Trusted sites zone. |
|
6. | Configure Cookies |
Cookies are small "data tags" that allow web
sites to recognize us when we return to those web sites. While cookies
can be useful -- say, for being recognized at a web site with which
we've registered -- they can also be used by advertisers to track our
movements and behavior across the Net. To protect our privacy, we need
to configure Internet Explorer's cookie settings so that the
browser stores only cookies that we find useful. For more information on
the privacy issues involved with cookies, see THIS
page.
While Internet Explorer 4, Internet Explorer 5, and Internet Explorer 6 are very similar in most of their privacy and security settings, they present different options for handling cookies.
|
|
In this step, we'll discuss cookie configuration for Internet Explorer 5 and Internet Explorer 4. If you're using Internet Explorer 6, you can skip this step and move directly to the last step in this section. | |
Internet Explorer 5.0x & 5.5x | |
For any version of Internet Explorer
5,
you can configure Cookies within the Security Settings for each zone.
(Note: the screenshot you see below is from Internet Explorer 5. ) |
|
![]() |
|
Note that "cookies stored on your computer" are permanent cookies that are saved to your hard drive for future use by web sites. By contrast, "per-session cookies" are temporary cookies that are automatically deleted once you close Internet Explorer. These are usually not a problem. (Session cookies are frequently used for the virtual "shopping carts" employed by merchandising sites like Amazon.com and CDNow.) | |
If you wish to preserve some cookies for certain web sites, then you should not disable "stored" cookies. You will need to selectively manage and delete cookies -- see the section entitled Selectively Deleting & Managing Cookies for details. | |
Internet Explorer 4.0x | |
Internet Explorer 4 does not allow you to configure
cookies by Security zone. If you're using Internet Explorer 4, you'll have to close the Internet
zone Security Settings box (click Apply, then OK) and switch to the Advanced tab.
There you'll find a similar looking group of cookie settings under the Security
section.
(Note: the screenshot you see below is from Internet Explorer 4. You won't find any cookie settings on the Advanced tab in Internet Explorer 5 or 6.) |
|
![]() |
|
The cookie settings you see on the Advanced tab apply to all the security zones -- there's no way to configure cookies for each zone separately, unlike Internet Explorer 5.0x and 5.5. Moreover, the options we have are fairly limited (Enable, Prompt, Disable) -- there's no way to distinguish between permanent cookies and session cookies (as we can do with Internet Explorer 5) or first-party vs. third-party cookies (as we can do with Internet Explorer 6). | |
If you wish to preserve some cookies for certain web sites, then you should not disable cookies. You will need to selectively manage and delete cookies -- see the section entitled Selectively Deleting & Managing Cookies for details. (You could select Prompt, but most users will quickly tire of barrage of prompts when surfing the web.) | |
Note: Other Versions of Internet Explorer
For Internet Explorer 6, you'll need to use the Privacy tab to set cookies, as the settings we discussed above aren't available in Internet Explorer 6 (see the next section for instructions). |
|
7. | Close Security Settings / Internet Options Boxes |
If you're using Internet Explorer 4 or 5, click Apply and OK to close the Security Settings box, then OK again to close Internet Options. At this point you should learn how to Selectively Delete & Manage Cookies. You may also want to read about how to Add Sites to the Trusted Zone. | |
If you're using Internet Explorer 6, move on to the next section to learn how to configure cookies on the Privacy tab. | |
Managing Cookies On the Internet Explorer 6.0 Privacy Tab | |
Cookies are small "data tags" that allow web
sites to recognize us when we return to those web sites. While cookies
can be useful -- say, for being recognized at a web site with which
we've registered -- they can also be used by advertisers to track our
movements and behavior across the Net. To protect our privacy, we need
to configure Internet Explorer's cookie settings so that the
browser stores only cookies that we find useful. For more information on
the privacy issues involved with cookies, see THIS
page.
Internet Explorer 6 does not allow us to configure cookies from the Security tab or the Advanced tab, as we just did for Internet Explorer 4 and 5 above. With Internet Explorer 6, we configure cookies on the Privacy tab, which is right next to the Security tab. (If you don't see a Privacy tab on the Internet Options box, then you haven't got Internet Explorer 6, and you can safely skip this section.) |
|
The Privacy Tab, Cookies, & Security Zones | |
The cookies settings on the Privacy tab apply to the Internet zone only. Cookies are blocked by default in the Restricted sites zone and accepted by default in the Trusted sites zone. There is no easy way to change cookie settings for those two zones, unlike Internet Explorer 4 and Internet Explorer 5. Internet Explorer 6, however, gives us many more options for controlling cookies in the Internet zone. | |
1. | Switch to the Privacy Tab |
To configure cookies for Internet Explorer 6.0, switch to the Privacy tab. | |
![]() |
|
It's important to recognize that we have a range of choices to make here. The Privacy tab allows us to configure cookies in three different ways. We can: | |
|
|
Keep in mind that these three different methods for configuring and controlling cookies are mutually exclusive: we can only use one method at a time. We can't mix and match methods. Once we use one method to configure cookies, any changes we've made using the other methods are ignored or disabled. | |
Whatever method we choose to configure cookies, we can also add specific web sites to the Web Sites - Per Site Privacy Actions list, so that cookies from those individual sites will always be blocked or allowed, no matter what our other settings are (except when the Settings slider bar is set to Block All Cookies or Accept All Cookies). | |
2. | Adjust the Settings Slider |
Most home users will initially find it easiest to adjust the Settings slider bar,
primarily because it is presented front-and-center on the Privacy
tab and because the slider appears to be a simple way to "ratchet
up" one's privacy. We'll cover the Settings slider bar
first, but I'm going to suggest that the Settings slider bar is deceptively
simple and doesn't give you nearly as much privacy protection as
some of the other options that are available for cookies in Internet
Explorer 6.0.
You can move the Settings slider bar up and down. Pay attention to the descriptions of each slider setting as you move the slider bar up and down from level to level. |
|
![]() |
|
Block All Cookies is, obviously, the most restrictive setting, and it will do just what the name suggests. | |
There are other settings to choose from on the slider bar, though. Here's a summary of all six settings with accompanying descriptions: | |
Setting | Description | ||
Block All Cookies |
|
||
High |
|
||
Medium High |
|
||
Medium |
|
||
Low |
|
||
Accept All Cookies |
|
||
Note: this chart is taken from the online Microsoft document "Use Security and Privacy Features in Internet Explorer 6." |
The descriptions for the six slider bar settings use a few terms that you may not be familiar with. To help you make sense of those settings, a few definitions and explanations are in order: | |||||||||||
|
|||||||||||
Despite the complexity of all of these terms and concepts, most users will find it easiest to manipulate the slider bar, because it uses those six apparently simple, straightforward privacy levels (Block All, High, Medium High, Medium, Low, Accept All). Users who are serious about protecting their privacy with Internet Explorer 6.0, however would be well advised to use one of the other two methods described next. | |||||||||||
The Problem with the Settings Slider Bar | |||||||||||
If the Settings slider bar initially appears to be an easy way to
protect one's privacy, why am I saying that there are problems with it?
The answer lies with what those slider levels actually do.
It's easy to move the slider bar up to Block All Cookies, but blocking all cookies will prevent some web sites from working properly. If you've registered with a web site in order to access content or services, blocking all cookies will stop you from accessing the site because the site won't be able to recognize you as a registered user. Cookies can be useful in that way. So, for most users, Block All Cookies is not a realistic option for surfing the web. We want to accept and keep some cookies; the question becomes: how do we accept only useful cookies? The next highest setting, High, appears to be a strong setting, but with that setting Internet Explorer 6.0 will (much to our surprise) still accept cookies from most third-party advertisers and marketers. Here's why. The description for the High setting specifies that:
Third-party advertisers and marketers, such as Doubleclick, have gotten wise to Internet Explorer 6.0, however. Not only will those advertisers and marketers have compact policies (one of the requirements for the High slider level), but those compact policies will specify that no personally identifiable information is used by the third-party site (the other requirement for the High slider level). The result: Internet Explorer 6.0 accepts cookies from Doubleclick and other major third-party advertisers! Doubleclick, in fact, clearly notes on its web site that Internet Explorer 6.0 will accept its cookies. Even though Doubleclick says it doesn't use "personally identifiable information," that doesn't mean that they're not tracking your activities on the Internet. It just means that they think you shouldn't care. The only way to stop those third-party advertisers' cookies is to choose the highest setting, Block All Cookies, but, as we noted, that's not really an acceptable choice for most people. And keep in mind that cookies from third-party advertisers and marketers are the very kinds of cookies that most people want to stop. Those are the cookies that allow Doubleclick and others to track your activities across thousands of web sites. |
|||||||||||
So, what intially appeared to be an easy, effective way to protect one's privacy turns out to be much less effective than we thought, primarily because we don't have real choices with the Settings slider bar. Block All Cookies isn't a viable option because we want to accept some cookies, not block them all. High, the very next step down, lets us accept useful cookies, but it also forces us to accept third-party advertising cookies that we want to block. (And the settings below High only get worse.) We want cookie settings that allow us to accept useful cookies but block most, if not all, cookies from advertisers and marketers, and the slider bar simply won't let us do that. | |||||||||||
Anyone who is serious about privacy on the Internet ought to reject the Settings slider bar and use one of the other methods instead. Indeed, the Advanced Privacy Settings, which we'll cover next, is just as easy to use (once you learn a few new terms) and it lets us block all those third-party advertising cookies without blocking truly useful cookies from first-party web sites we've registered with. | |||||||||||
Note: if you'd like a more advanced, involved discussion of the problems with the Internet Explorer 6.0 slider bar and the Privacy Settings more generally, see THIS page. Most home users, however, will find that advanced discussion overwhelming, though. And if you'd like to see just how little privacy the settings slider affords you, see THIS page. | |||||||||||
3. | or Configure the Advanced Privacy Settings | ||||||||||
If we don't want to use the Settings slider bar, we can hit the Advanced... button to bring up the Advanced Privacy Settings box. | |||||||||||
![]() |
|||||||||||
To use this box, check the "Override automatic cookie handling" box (which turns the Settings slider bar off on the Privacy tab). Then configure First-party Cookies and Third-party Cookies: | |||||||||||
![]() |
|||||||||||
First-party cookies are cookies that originate from the web site that you happen to be visiting. Third-party cookies are cookies that originate from outside the web site you're visiting. That's confusing, I know. Let me give you an example of how first-party and third-party cookies work. | |||||||||||
Let's say I visit MSNBC.com. MSNBC.com might try to place its own cookie on my hard drive. That's a first-party cookie. The cookie originates from MSNBC.com and I happen to be visiting MSNBC.com. | |||||||||||
Now let's say that MSNBC.com also happens to use banners ads from Doubleclick.net. The banner ads are served up to my browser from Doubleclick's servers, which also attempt to place one of Doubleclick's cookies on my hard drive. Remember: I'm visiting MSNBC.com, but Doubleclick has ads on that page and tries to place one of its cookies on my hard drive. That makes Doubleclick's cookie a third-party cookie. It originates from a site other than the one I'm directly visiting. | |||||||||||
Third-party cookies are actually quite common. Third-party cookies are typically used by big advertisers and marketers like Doubleclick, who place banner ads and pop-ups on web sites (much like ad agencies place advertisements in newspapers and magazines, or buy 30 second spots on television for commercials). Third-party cookies are usually OK to always block. | |||||||||||
Session cookies are temporary cookies that are automatically deleted once you close Internet Explorer. (Session cookies are frequently used for the virtual "shopping carts" employed by merchandising sites like Amazon.com and CDNow.) All other cookies are permanent cookies that are saved to your hard drive for future use by the web sites you visit. Session cookies are fairly innocuous because they aren't preserved across browsing sessions (once you close Internet Explorer, they're gone). | |||||||||||
Keep in mind that if we use the Advanced Privacy Settings on this page, those settings override the Settings slider bar that we looked at above. | |||||||||||
Do you see now why I said that most home users will find it easiest simply to adjust the Settings slider bar on the Privacy tab? Even though the Settings slider bar might initially appear to be easier to use, however, I would suggest that the Advanced Privacy Settings are not only just as easy (once you learn the distinction between first-party and third-party cookies), but are in fact a more effective way to protect your privacy in Internet Explorer 6.0. With the Advanced Privacy Settings, we can block cookies from major third-party advertisers and marketers like Doubleclick, while still accepting first-party cookies from web sites we've regsitered with. | |||||||||||
4. | or Import an XML Privacy Settings File | ||||||||||
One final method we can use to configure cookies within Internet Explorer 6.0 is a special XML Privacy Import file. An XML Privacy Import file contains pre-configured settings that Internet Explorer 6.0 can use to configure cookies in the Internet and Trusted sites zones, not just the Internet zone. | |||||||||||
To import an XML Privacy Import file, hit the Import... button on the Privacy tab, then navigate to the XML file that you wish to import, and double-click on it. IE 6.0 will confirm that you actually want to import that XML file into IE 6.0. | |||||||||||
![]() |
|||||||||||
As with the Advanced Privacy Settings that we looked at previously, the settings contained in these XML Privacy Import files override the Settings slider bar. | |||||||||||
As you've probably suspected, XML Privacy Import files are for advanced users only. Most home users will never even think about using custom XML Privacy Import files -- they're simply too involved and complicated. | |||||||||||
Moreover, Internet Explorer 6.0 doesn't provide you with any XML files -- you have to build them yourself or acquire them from someone who has already built them. And to build them, you'll need special instructions from Microsoft's web site. | |||||||||||
The XML Privacy Import files you see in the screenshot above come from a special set of pre-built files that you can download. If you're interested in using those XML files yourself, you can download the set of XML files (IE6 Custom) from this page: | |||||||||||
http://www.spywarewarrior.com/uiuc/resource5.htm | |||||||||||
...and import them into Internet Explorer 6.0, as we described above. That download package (IE6 Custom) gives you a wide range of XML files to choose from, so read the accompanying documentation carefully. | |||||||||||
5. | Add Web Sites to the Per Site Privacy Actions | ||||||||||
Whatever method we choose to use in order to
configure cookies in Internet Explorer 6.0, we can override those
settings on a site-by-site basis through the Per Site Privacy Actions
box (unless the Settings slider bar
is set to Block All Cookies or Accept All Cookies).
Hit the Edit... button under Web Sites on the Privacy tab. |
|||||||||||
![]() |
|||||||||||
Now we can specify sites that we want Internet Explorer to always block or always allow, no matter what our other cookie settings happen to be (except when the Settings slider bar is set to Block All Cookies or Accept All Cookies). These Per Site Privacy Action settings are especially useful for allowing cookies from sites that we use often and that require cookies (for example, web-based email services like Hotmail or Yahoo). | |||||||||||
6. | Close Security Settings / Internet Options Boxes | ||||||||||
Click OK to close the Security Settings box, then OK again to close Internet Options. | |||||||||||
Warning: Broken Web Sites | |||||||||||
Remember: if we choose overly restrictive cookie settings on the Privacy tab, then some sites may not let us in or may force us to log in manually. If you wish to preserve cookies on an individual site-by-site basis, you can either use the Per Site settings described above, or you can allow cookies liberally and then selectively manage and delete them, as described in the next section. | |||||||||||
At this point you may want to read about how to Selectively Delete & Manage Cookies as well as how to Add Sites to the Trusted Zone. | |||||||||||
Selectively Deleting & Managing Cookies | |||||||||||
Sometimes we may want to configure Internet Explorer to accept cookies (as we learned how to do in the previous two sections), but then delete some cookies that we pick up from web sites so that we keep only a select few cookies. If we wish to manage and delete cookies selectively, we can do so through Windows Explorer. | |||||||||||
(Note that in the first section we saw that Internet Explorer 6.0 allows us to delete cookies from the General tab. That Delete Cookies button on the General tab deletes all cookies at once. What we'll learn to do below, however, is to delete cookies selectively so that we can keep some cookies that we find useful instead of deleting all of them.) | |||||||||||
Please note that we're going to take a short detour through the Cookies folder, so that you understand how the Cookies folder works. We'll won't actually delete cookies directly in the Cookies folder, though; we'll delete them from our Temporary Internet Files folder instead. | |||||||||||
1. | Open Windows Explorer | ||||||||||
Open Windows Explorer on the Start menu. | |||||||||||
![]() |
|||||||||||
2. | Find the Cookies Folder | ||||||||||
If you're on Windows 95, 98, 98SE, or Me, you can find your Cookies folder in the Windows folder (i.e., \Windows\Cookies). | |||||||||||
If you're on Windows NT 4.0, open the Winnt folder, then find the Profiles folder. In the Profiles folder, find your own individual user folder. In that folder, you'll find your Cookies folder (i.e., \Winnt\Profiles\<user>\Cookies). | |||||||||||
If you're on Windows 2000 or XP, find the Documents and Settings folder. Then find your own individual user folder under Documents and Settings. In your own individual user folder, you'll see your Cookies folder (i.e., \Documents and Settings\<user>\Cookies). | |||||||||||
Once you open the Cookies folder, you should see a number of cookies. | |||||||||||
![]() |
|||||||||||
Internet Explorer stores cookies on your hard drive as individual text files (unlike Netscape, which stores all of its cookies in one text file). You can doubleclick on individual cookies and look at them. There's not much to see, though... | |||||||||||
![]() |
|||||||||||
Notice the unique id number -- that's essentially the "name tag" given you by the web site that placed the cookie on your hard drive. The web site can use that unique id number to recognize you when you return to the web site. That unique id is what's at the heart of a cookie. | |||||||||||
Even though we can view our cookies in the Cookies folder, we shouldn't delete them directly from here. Internet Explorer mirrors our cookies in the Temporary Internet Files folder, which we'll move on to next. If we delete cookies directly from the Cookies folder, Internet Explorer will still display them in the Temporary Internet Files folder. | |||||||||||
To avoid this problem, we'll delete cookies from Temporary Internet Files, and Internet Explorer will remove the corresponding text files from the Cookies folder for us. In effect, we'll keep the Temporary Internet Files folder and the Cookies folder "in synch." | |||||||||||
3. | Find the Temporary Internet Files folder | ||||||||||
Next, find the Temporary Internet Files folder. The location of this folder will vary depending on what version of Windows you are running: | |||||||||||
|
|||||||||||
![]() |
|||||||||||
Assuming you've deleted Temporary Internet Files (your browser cache) as described at the beginning of this page, the only things you should see in Temporary Internet Files are cookies. (If you see a lot of files that don't appear to be cookies, delete your Temporary Internet files as we described above, then return to the Temporary Internet Files folder.) | |||||||||||
Remember: what you see here are mirrored copies of your cookies, which are actually stored as text files in the Cookies folder that we looked at just above. (And, no, don't ask me why Microsoft programmed Internet Explorer to behave like this!) | |||||||||||
4. | Selectively Delete Cookies from Temporary Internet Files | ||||||||||
We can selectively delete individual cookies by highlighting the ones we want to get rid of... | |||||||||||
![]() |
|||||||||||
...and hitting Delete. Internet Explorer will prompt us to confirm that we actually want to delete the cookies we selected. | |||||||||||
![]() |
|||||||||||
And that's all there is to it! | |||||||||||
Note that in the screenshots you see, we elected to save one cookie from Wired.com. As we've noted several times already, the advantage to deleting cookies selectively is that we can save valuable cookies for web sites that require them and that we frequently visit. | |||||||||||
5. | Shortcut to Temporary Internet Files | ||||||||||
Some users might not like dealing with Windows Explorer. For those users, there is a quicker way to get to the cookies they want to delete. | |||||||||||
From within Internet Explorer, open the Internet Options box... | |||||||||||
![]() |
|||||||||||
...and hit the Settings... button under Temporary Internet files. | |||||||||||
![]() |
|||||||||||
In the Settings box that pops up, hit the View Files... button. | |||||||||||
![]() |
|||||||||||
Do these look familiar? They should. They're the same cookies that we viewed earlier in Windows Explorer. | |||||||||||
![]() |
|||||||||||
As before, if you see more files than just cookies, delete your Temporary Internet files as described earlier, and then return to this box. | |||||||||||
From here we can select and delete cookies individually, just like we did earlier in Windows Explorer. | |||||||||||
Other Important Internet Explorer Settings | |||||||||||
|
|||||||||||
Summary of Internet Zone Settings | |||||||||||
Before we move on and discuss how to use the Trusted sites zone, let's briefly summarize the settings we've configured in the Internet zone. | |||||||||||
|
|||||||||||
|
|||||||||||
|
|||||||||||
|
|||||||||||
|
|||||||||||
Note that the table above doesn't summarize cookie settings. | |||||||||||
Now that we've disabled many settings that some web sites may depend on, we should learn how to use the Trusted sites zone for web sites that we trust so that those sites aren't broken when we visit them. | |||||||||||
Adding Sites to the Trusted Sites Zone | |||||||||||
As noted earlier, if we configure Internet Explorer's cookie settings too restrictively, or if we disable Java, Scripting, and ActiveX in in the Internet zone, or if we disable many of the Miscellaneous settings, some web sites may not work properly or could refuse to let us in. We might be tempted to relax our cookie settings and re-enable Java, Scripting, and ActiveX, but there's a better solution: add individual web sites to our Trusted sites zone. | |||||||||||
Our Trusted sites zone uses different Security Settings than our Internet zone. By default, Cookies, ActiveX, Java, and Scripting are Enabled or set to Low safety in the Trusted sites zone. And as with the Internet zone, we can customize the Security Settings even further. | |||||||||||
The Trusted sites zone allows us to permit individual web sites that depend on things like Cookies, Scripting, and so forth to use them, without forcing us to relax our default Internet zone settings. If we encounter a web site that requires Scripting or Cookies (or ActiveX or Java), we can add the site to our Trusted sites zone, and refresh the web page, which should then work fine. | |||||||||||
Here's an example: let's say we want UIUC's WebMail service to work properly. If we disable Scripting and Cookies as we did above, WebMail won't work. To get WebMail to work, we'll add the uiuc.edu domain to our Trusted sites zone, thus letting webmail.uiuc.edu use cookies and Scripting. | |||||||||||
Here's how to do it: | |||||||||||
1. | Go to the Internet Options Security tab & Select the Trusted Sites Zone | ||||||||||
Go the Security tab in Internet Options. Make sure the Trusted sites zone is selected. | |||||||||||
![]() |
|||||||||||
2. | Open the Trusted Sites Box | ||||||||||
Click the Sites... button to open the Trusted Sites box. | |||||||||||
3. | Add the uiuc.edu domain to the Trusted Sites | ||||||||||
Type the following into the top box: | |||||||||||
*.uiuc.edu | |||||||||||
We're adding the entire uiuc.edu domain to our Trusted sites zone with a wild card ( * ) so that all web sites at uiuc.edu will fall within our Trusted sites zone. (If we added only webmail.uiuc.edu, other sites at uiuc.edu would still fall in the Internet zone.) | |||||||||||
![]() |
|||||||||||
Uncheck the box labeled "Require server verification (https:) for all sites in this zone." (If you don't uncheck the box, Internet Explorer won't let you add uiuc.edu to the list of Trusted Sites, because this new entry doesn't start with https:.) | |||||||||||
Click Add to put the uiuc.edu domain into the list of Trusted Sites. | |||||||||||
Note that we could have specified webmail.uiuc.edu, but that would have placed only webmail.uiuc.edu into the Trusted zone, not all web sites from uiuc.edu. | |||||||||||
4. | Close the Trusted Sites Box & the Internet Options Box | ||||||||||
Click OK to close the Trusted Sites box. Click OK again to close Internet Options. | |||||||||||
5. | Refresh the Web Page | ||||||||||
If you're currently at webmail.uiuc.edu, hit the Refresh button to reload the web site. WebMail should work now. If it doesn't, try deleting Temporary Internet files (as described at the start of this page), closing and re-opening Internet Explorer, and then returning to the WebMail page. | |||||||||||
You can always tell what zone a site falls into by looking at the bottom right-hand corner of the Internet Explorer window: | |||||||||||
|
|||||||||||
A Handy Security Zone Utility from Microsoft | |||||||||||
If you start to make extensive use of the Trusted sites and Restricted sites zones, you might want to download IE Power Tweaks Web Accessories, a special set of utilities from Microsoft, from here: | |||||||||||
http://www.microsoft.com/windows/ie/previous/webaccess/default.mspx | |||||||||||
This set of utilities will add two new menu options to the Tools menu in Internet Explorer: | |||||||||||
This makes adding sites that you want to the Trusted sites zone a cinch. Once we're at a web site that we wish to add to the Trusted sites zone, we can just use the Add to Trusted Zone menu option: |
|||||||||||
![]() |
|||||||||||
Although the IE Power Tweaks Web Accessories is billed as a tool for Internet Explorer 5, it will work just fine on Internet Explorer 6 as well. | |||||||||||
What sites should be added to the Trusted sites zone? | |||||||||||
What sites you put in your Trusted sites zone involve choices that only you can make. I can
offer a few criteria that I use when deciding to admit a site or domain to my
Trusted sites zone:
Examples:
As I said, these are personal decisions based on your own unique judgments and assessments. |
|||||||||||
Conclusion | |||||||||||
I hope you've found this short tour of Internet Explorer's privacy and security features interesting and helpful. If you need more assistance or still have questions, check the following web pages for links to information about web browser privacy and security: | |||||||||||
If you're using AOL, you may also want to get an overview of the AOL privacy and security preferences that are specific to AOL services. | |||||||||||
Advice, Organization, & Compilation |