Internet Privacy w/ IE6 & P3P: A Summary of Findings
1st-Party vs. 3rd-Party
Sites/Domains Not In IE-SPYAD
Interpretation of Results
Notes & Comments
More Information
The Import File

This Page Last Updated: Sep 20 '01


Internet Explorer 6.0 (IE6) offers users a new set of options for handling cookies. These options, which can be found of the new Privacy tab (Tools >> Internet Options... >> Privacy), supersede the cookie settings which were formerly located in each Security zone (Tools >> Internet Options... >> Security).

With these new cookie settings, several questions have been raised with respect to the level of privacy afforded by this new Privacy tab and how the Privacy tab's cookie settings can be used in conjunction with the Trusted and Restricted zones. Briefly summarized, these questions are:

  • How much privacy from cookies do the default Privacy tab settings offer?
  • Can the Restricted zone be used to override the Privacy tab settings and block cookies from specified domains and servers, even when those cookies are deemed "acceptable" by IE6 based on the domains' P3P compact policies and IE6's Privacy tab settings?
  • If one leaves the Privacy tab cookies settings at their defaults but sets the Internet Zone options restrictively (i.e., everything to "Disable," "Prompt," or "High") can one expect a meaningful improvement in the protection of one's privacy from cookies in IE6?
  • If one leaves IE6's Security zone settings their defaults, then merely "overrides" the default Privacy tab settings with "block" settings for both first-party and third-party cookies, can one expect a meaningful improvement in the protection of one's privacy from cookies in IE6?
  • Can one enforce an "opt-in" policy by setting the Internet zone and Privacy tab options restrictively in order to block most cookies while at the same time accepting certain cookies through the Trusted zone on a per-site basis?
  • How effective is a custom XML Privacy Import file in forcing IE6 to control the use of ccokies?

In order to answer these questions, several sets of trials on a select group of sites using different mixes of Security zone and Privacy tab settings were conducted.


Two sets of trials with IE6 were conducted on a two groups of six internet sites (9/2/01, 9/4/01). These trials were distinguised from each other by the differing mixes of Internet zone and Privacy tab options that were selected for each trial.

Trial Description
All Default: All Security Zone settings at their defaults (e.g., Internet = Medium); Privacy tab cookie slider at the default Medium; no sites loaded into Restricted or Trusted zones.
IE-SPYAD: All Security Zone settings at their defaults (e.g., Internet = Medium); Privacy tab cookie slider at the default Medium; IE-SPYAD Restricted zone list loaded into Restricted zone. (IE-SPYAD is a list of sites and domains of known online advertisers and marketers that can be loaded into Internet Explorer's Restricted zone. For a link to IE-SPYAD see the More Information section at the end of this document.)
Opt-In: Internet zone settings set highly restrictively (i.e., block, prompt, or high); Privacy tab Advanced/"Override automatic cookie handling" selected w/ First-party and Third-party Cookies set to Block. Primary sites added to Trusted zone (w/ the exception of (Trusted zone settings very lenient: everything set to "Enable" or "Low").

Following these initial sets of trials, two additional trials were performed on all twelve sites (9/5/01 & 9/8/01):

Trial Description
Override All Security Zone settings at their defaults (e.g., Internet = Medium); Privacy tab Advanced/"Override automatic cookie handling" selected w/ First-party and Third-party Cookies set to Block. (No IE-SPYAD; no sites added to Trusted zone).
Restrict All Internet Zone options set "restrictively" (i.e., everything to "Disable," "Prompt," or "High"); Privacy tab cookies settings left at the default "Medium" setting.

One final trial was conducted on all twelve sites (9/16/01):

Trial Description
Import All Security Zone settings at their defaults (e.g., Internet = Medium); custom XML Privacy Import file (supplied by R2 at DSLR) used to set Privacy tab options for Internet and Trusted zones:
Internet zone:  First Party: force Session
                Third Party: Block

Trusted zone:   First Party: Leash (force Session
                             if no Compact Policy) 
                Third Party: Block
See The Import File section below for more information on the Import file used. (No IE-SPYAD; no sites added to Trusted zone).

Additionally, the "All Default" trial for was repeated twice (9/5/01) in order to verify the results for the popup ad at that site.

When the "Advanced" setting's "override automatic cookie handling" option was selected, the "always allow session cookies" box was left unchecked (effectively blocking session cookies).

Between trials, IE6 was closed and then restarted.

Between primary sites, IE6's file cache and URL history were flushed and all cookies were deleted.

All other ad/cookie blocking software on this computer was disabled (i.e., no AtGuard, no HOSTS file).

Trial Set # 1 (9/2/01), Trial Set # 3 (9/5/01), Trial Set # 4 (9/8/01), Trial Set # 5 (9/16/01)
Site/Cookie All Default IE-SPYAD Restrict Override Opt-In Import OK OK OK xx (2) OK R (9) OK (2) xx (2) --  xx (2) xx (2) xx -- -- -- -- -- xx (nc) * OK OK OK xx OK R (nc) * -- -- -- -- xx -- (nc) * xx xx xx xx xx xx (nc) * xx xx -- -- -- -- * OK OK OK xx xx xx -- xx -- -- -- -- OK xx -- -- xx -- * OK OK OK xx OK R OK xx -- xx xx -- OK xx OK xx xx R OK -- -- -- xx -- (nc) xx xx xx xx xx xx -- xx (2) -- -- -- -- * OK OK OK xx xx (2) R OK xx OK xx xx R -- xx (3) OK -- -- --
Trial Set # 2 (9/4/01), Trial Set # 3 (9/5/01), Trial Set # 4 (9/8/01), Trial Set # 5 (9/16/01)
Site/Cookie All Default IE-SPYAD Restrict Override Opt-In Import OK (2) OK OK xx (2) OK R (2) -- xx (4) -- -- -- -- -- xx -- -- -- -- OK -- OK xx -- -- (nc) OK OK OK xx (15) OK R OK (2) xx (2) OK -- xx xx (2) -- xx -- -- -- -- * OK (2) OK (2) OK (2) xx (2) xx (2) -- * (nc) -- xx (3) -- xx -- -- -- -- -- -- -- xx (nc) OK OK (2) OK xx (11) OK (2) R OK xx OK xx xx xx OK xx OK xx xx xx * (nc) OK -- -- -- -- -- OK -- -- -- -- -- OK (2) OK (2) OK (2) xx OK (2) -- * OK OK OK -- xx  -- -- xx -- -- -- -- OK xx -- -- xx -- -- xx (2) -- -- -- -- OK -- -- xx xx -- -- -- OK -- -- -- OK -- -- -- -- -- (nc) OK -- -- -- -- -- (nc) xx xx -- -- xx -- (nc) xx (3) xx xx (3) xx (3) xx (3) -- OK xx -- xx xx -- OK xx -- xx xx -- OK -- -- -- -- --
Symbol Description
OK cookie accepted
xx cookie blocked
R cookie restricted (to Session cookie)
-- no cookie
(2) multiple cookies
(nc) no compact policy
* not included in IE-SPYAD primary site popup/popunder ad associated with primary site first-party cookie (all others are third-party)
First-Party vs. Third-Party

IE6 distinguises first-party from third-party cookies based on the domain alone. By contrast IE6 distinguishes between compact policies based on the entire URL.


According to Microsoft:

Internet Explorer 6 defines first-party content as that associated with the host domain. Third-party content originates
from any other domain. For example, suppose a user visits by typing this URL in the
address bar, and has a banner ad on this page. If these two sites set cookies, the cookies from are in a first-party context while the cookies from are in a third-
party context.

Often commercial Web pages are an amalgamation of first- and third-party content. The Internet Explorer 6 privacy
features distinguish between first- and third-party content. The underlying assumption is that users have a different
relationship with first parties than with third parties. In fact, users might not be aware of the third party or be given
a choice in having a relationship with it. For this reason, default privacy settings for third parties are more stringent
than for first parties.

Note: The URLs, and, both contain the same minimal
domain, Content that shares the same minimal domain as the host domain is considered first-
party content. Likewise, cookies set from these domains are considered first-party cookies. Minimal domains must
have the same top-level domain (TLD). Some common examples of TLDs are .com, .net, and .org.

Note If a user visits over a secure connection using Secure Hypertext Transfer Protocol
(HTTPS), content on the page that is not using HTTPS is considered third-party content.

Aaron Goldfeder & Lisa Leibfried. "Privacy in Internet Explorer 6."

Sites/Domains Not In IE-SPYAD

Type Description
primary sites,,,,,,,,,,
all sites,,
some sites,
Interpretation of Results

All Default Settings

With the default Security Zone and Privacy tab settings in place, IE6 is very lax in accepting cookies. The only cookies blocked were third-party cookies from domains without a compact policy. As expected, Doubleclick's third-party cookies were readily accepted.

While IE6 will block third-party cookies from sites without compact policies (see the results for for a good example of this), this limited protection will likely become increasingly marginal as more and more domains construct P3P policies which satisfy IE6's lenient "Medium" Privacy tab settings (as Doubleclick has). As these default settings offer little protection from cookies, users who do not customize IE6's Security Zone and Privacy tab settings will see little change in the level of privacy surrounding their web surfing.

Bottom line: if you want privacy from third-party advertisers and their cookies in IE6, DO NOT accept the default IE6 Security zone and Privacy tab settings.

All Default Settings / IE-SPYAD

The Restricted zone appears to offer one very effective way to block cookies from third-party advertisers and marketers. Once IE-SPYAD's Restricted zone list was loaded into the Restricted zone, third-party cookies from the big online advertisers like Doubleclick were effectively blocked (the only exceptions being specific servers like and, which are not included in IE-SPYAD).

Of particular interest is the fact that cookies from, which were formerly accepted using the default IE6 Privacy tab settings, were blocked this time around because was loaded into the Restricted zone by IE-SPYAD.

Note also that the Restricted zone blocked these cookies despite the fact that IE6's lax "Medium" Privacy tab settings were still in place, indicating that the Restricted zone takes precedence over the Privacy tab's cookie settings.

Restrictive Internet Zone Settings /
Default Privacy Settings

The Internet Zone settings (which control such things as ActiveX, JavaScript, Java, et al) can be used to gain some increased level of privacy from cookies, but the results are not as dramatic as can be had from manipulating the Privacy tab cookie handling settings or using a Restricted Zone block list (like IE-SPYAD). At the very least, a highly "restrictive" set of Internet Zone options will prevent popup and popunder ads from appearing, effectively blocking any cookies associated with them. Restrictive Internet Zone settings also appear to block cookies which rely on JavaScript in order to be set. Despite the slight increase in blocked cookies, the improvement in privacy seen in this trial was marginal at best.

Default Internet Zone Settings /
"Override Automatic Cookie Handling"

Given the complexity of the Security zones feature of IE6, it is entirely possible that some users may shy away from using them, choosing instead to manipulate only the cookie handling settings on the Privacy tab. Users who are primarily concerned with the privacy implications of cookies (and less concerned about such technologies as JavaScript, ActiveX, and Java, among other aspects of IE6's behavior) can expect to see a meaningful improvement in the protection of their privacy from cookies if they simply use the "Advanced" settings on the Privacy tab to "override automatic cookies handling" with "blocks" for both first-party and third-party cookies.

The "override automatic cookie handling" option can be used in conjunction with other strategies for privacy protection, namely a Restricted zone list like IE-SPYAD (see above) or an Opt-In approach to the full range of IE6's Security and Privacy settings (see below).


Yet another way to protect one's privacy from online marketers in IE6 is to enforce an "opt-in" policy by setting IE6's Internet zone and Privacy tab options very restrictively. Once the Internet zone options were set to "block," "prompt," or "high," and the Privacy tab's "automatic cookie handling" was overriden with "block" settings for both first-party and third-party cookies, cookies from online advertisers and marketers were uniformly blocked, even though the primary site being visited had been added to the Trusted zone.

Thus, it appears that one can use the Trusted zone selectively to allow specific servers to set their own cookies without having to accept all other third-party cookies loaded through that site. That a site is in the Trusted zone does not give all third-party cookies associated with that site carte blanche to slip through under the same lenient Trusted zone cookie policy being applied to cookies from the main, first-party site.

Import File

Finally, a further means of protecting one's privacy in IE6 is a custom XML Import file. The Import file used in the trial conducted here imposed a customized, highly restrictive set of options on the Internet and Trusted zones: all third-party cookies were blocked; most first-party cookies were forced to behave as session cookies (not persistent cookies). Although the trial tested sites only in the Internet zone (i.e., no primary sites were added to the Trusted zone), the results are nonetheless noteworthy in that most cookies were blocked -- any that weren't were turned into session cookies. These results suggest that a custom XML Import file can be used as an effective tool to protect one's privacy from unwanted cookies in IE6.

The advantage of an Import file over the other methods tested is that it allows IE6's handling of cookies in Trusted zone to be controlled (by default the Privacy tab affects only the Internet zone). Without an Import file, IE6 will accept all cookies from sites in the Trusted zone; with an Import file, IE6 can be forced to be selective in accepting cookies.

An Import file is not necessarily the simplest solution for the majority of users of IE6, though. Most IE6 users would undoubtedly balk at the complexity of the task of constructing an Import file for personal use: one must work through Microsoft's documentation (see below) on the subject and then experiment liberally with possible files -- a time consuming process. IE6 users who find the job of putting together an Import file beyond their means could rely on pre-made Import files supplied by more experienced users. Ideally, there would be a rich menu of Import files from which to choose, making the option of using an Import file much more readily available to the majority of IE6 users.

Problems with Popups/Popunders

At two sites ( & popup or popunder ads were encountered when IE6's Security zone and Privacy tab options were left at their defaults (see the "All Default" trial). Several problems were noted with IE6's handling of popups and popunders.

1. First-Party Cookies Forced On User

The popup/popunder ads at and appeared in a new IE window with an address bar. Each contained a new address (other than the primary site being visited). In other words, at and there were two first-party sites: one for the main site being visited, and one for the popup/popunder ad.

This behavior is troublesome because the popup or popunder ad forces a first-party cookie on the user. The user did not choose to surf to the popup/popunder ad's site, yet the ad nonetheless loads as a first-party site and IE6 accepts its cookie as a first-party cookie. (Credit goes to R2 at DSLR for pointing out the problem with this behavior.)

2. Unacceptable Third-Party Cookies Not Blocked

Still worse than the problem of forced first-party cookies is that in at least one case (the popunder for IE6 accepted a third-party cookie from a site without a compact policy (, which it shouldn't have. This behavior was subsequently confirmed twice. It is possible that IE6 became "confused" when dealing with a popup from the main window. That third-party cookie should not have been accepted, however, given the "Medium" Privacy tab slider setting. At this time it is not possible to say definitively why IE6 accepted this third-party cookie.

Notes & Observations

While we have already seen that IE6's default settings are disappointingly lax, what we have observed with IE6's handling of popup and popunder ads is still more troubling: it will accept first-party cookies from sites the user didn't select, and, in some instances, it will erroneously accept third-party cookies from sites without a compact policy.

Interestingly, popups and popunders appeared only when these settings were left unchanged. During the "Default/Override" trial the popup ads at and did not load at all. For that trial the only aspect of IE6's Security and Privacy settings to be changed was the Privacy tab slider, which was "overriden" with the "Advanced" settings to block all first-party and third-party cookies. When the Privacy tab was restored to its default "Medium" setting, the popup ads appeared once again.

It is not known why the popup ads should be prevented even from appearing when IE6 is configured merely to block first-party and third-party cookies. At the very least, though, this behavior represents yet another problem with IE6's default Security zone and Privacy tab settings, offering IE6 users still more reasons to reject IE6's default Privacy configuration.

Given the problems seen with popup and popunder ads, one wonders if online advertisers and marketers won't choose to exploit these anomalies in IE6's handling of popup and popunder ads in order to slip their cookies past the already lenient default Privacy settings of IE6 users.

Notes & Comments

The Privacy Report

One noteworthy new feature of IE6 is the Privacy Report that IE6 makes available for the web site the user is currently visiting. The Privacy Report can be accessed by going to to View >> Privacy Report. This Privacy Report is useful inasmuch as it gives the user a summary of all the URL's (or web sites) associated with the primary web site, as well as a rundown of cookies "blocked" or "accepted." The user can also select a URL or cookie within the Privacy Report and view any privacy policies associated with the cookie/web site.

While this Privacy Report is indeed helpful, it offers information that is not as complete as it ought to be. At the very least, the Privacy Report should provide additional information about cookies "accepted" or "blocked" such as:

  • whether a cookie is first-party or third-party
  • whether a cookie is persistent or session
  • a succinct explanation of the reasons a cookie was blocked (e.g., no compact policy, unsatisfactory compact policy, etc.)

Absent this information, IE6's Privacy Report often leaves the user guessing as to why cookies were been blocked or accepted, or what kind of cookies were blocked or accepted.

IE6 is capable of displaying these types information; the "Privacy Alert" box (which appears when the user is prompted to accept or block cookies) provides a wealth of information about cookies, including the "party" and "type" of cookie as well as the compact policy (if any) associated with the web site serving the cookie. Unfortunately, the only way to receive this information is to set IE6's "Advanced" Privacy tab options to "prompt" the user when cookies are encountered. This same information should be accessible from the Privacy Report. (Thanks again to R2 at DSLR for calling attention to the information that appears in the "Privacy Alert.")

A Note on the Trials

These trials were conducted on different days over the course of roughly one week. During that time period primary web sites may have changed the mixes of advertising and cookies offered on their pages. This is especially true of the final trial set (the "Import" trial), because it was conducted less than a week after the World Trade Center/Pentagon bombing (9/16/01). Thus, some of the differences in trial results may be attributable to changing mix of ads and cookies being served from the sites tested, not the alterations made to IE6's Privacy and Security settings.


Clearly, IE6's default Privacy tab cookie settings are inadequate to protect users' online privacy. IE6 users who desire privacy from the cookies of online advertisers and marketers should use one of the following methods (or a combination of the following methods) to block those cookies:

1. Restricted Zone Block List

Load a list of known advertising/marketing domains (like IE-SPYAD) into the Restricted zone (see the More Information section below for a link to IE-SPYAD).

2. Opt-In Internet Zone Policy

Enforce an "opt-in" policy for online advertisers & marketers by setting the Internet zone and Privacy tab options very restrictively. All Internet zone options should be set to "block" or "prompt." On the Privacy tab, select "Advanced," then check "Override automatic cookie handling" and select "Block" for both first-party and third-party cookies. Sites which the user trusts and which require cookies in order to function can be added on a per-site basis to the Trusted zone.

3. Custom XML Privacy Import File

If you have a specific need to customize IE6's handling of cookies in the Trusted zone, consider using a custom XML Import file. See The Import File section below for more information on creating custom XML Import files for use with IE6.

4. Third-Party Blocking/Filtering Software

Use third-party ad & cookie blocking/filtering software like AtGuard, the Proxomitron, WebWasher, Norton Internet Security, a HOSTS file, etc. Even with third-party software, it is still adviseable to customize IE6's Security zones, if only to control the use of ActiveX, Java, and scripting, as well as a number of other Internet Explorer specific behaviors that third-party software might not be able to regulate.

Please note that no third-party blocking and filtering programs were tested with IE6 in these trials. Given that IE6 is so new, it is possible that blocking and filtering programs released prior to IE6 may not be compatible with IE6. For links to blocking and filtering software, see the More Information section below.


While the new cookie handling options in IE6 do provide users with a more finely grained means for controlling cookies, the vast majority of IE6 users will find these options much too confusing and involved to be of any real use. Still worse, the default Privacy settings of IE6 are simply too lax for users to expect any meaningful improvement in the protection of their online privacy by IE6 straight "out-of-the-box." Given these lax default Privacy settings, as well as the confusion and frustration most IE6 users will likely experience when confronted with these new settings, IE6 arguably represents a step backwards in the struggle to offer internet users a reliable way to ensure their online privacy.

Unfortunately, in the light of the sheer complexity of the P3P specification as well as IE6's idiosyncratic way of classifying and sorting the P3P compact policies of individual web sites, many IE6 users will find that the simplest and most effective way to guarantee their privacy is to avoid IE6's P3P-based cookie settings altogether. Once users have dispensed with IE6's P3P-based configuration options, they can override the default Privacy settings, employ custom block lists, or use third-party filtering software, all of which provide simpler and more reliable ways for users to protect their privacy while surfing the web.

More Information

For links to more info on Internet Explorer 6.0 and P3P, see:

To download IE-SPYAD (aka, the Restricted zone block list), visit:

For links to ad & cookie filtering software and block lists, see:

And for yet another summary assessment of Internet Explorer 6.0's Privacy settings, see this discussion:

The Import File

The custom XML Import file used for the "Import" trial was constructed by R2, a frequent poster at DSLR:

<MSIEPrivacySettings formatVersion="6">
<p3pCookiePolicy zone="internet">
<firstParty noPolicyDefault="forceSession" noRuleDefault="forceSession" alwaysAllowSession="no">
<thirdParty noPolicyDefault="reject" noRuleDefault="reject" alwaysAllowSession="no">
<p3pCookiePolicy zone="trustedSites">
<firstParty noPolicyDefault="forceSession" noRuleDefault="forceFirstParty" alwaysAllowSession="no">
<thirdParty noPolicyDefault="reject" noRuleDefault="reject" alwaysAllowSession="no">

If you wish to use this Import file yourself, simply copy and past the above into Notepad, then save the file with the name IMPORT.XML. Open IE6's Privacy tab (Tools >> Internet Options... >> Privacy), hit the "Import..." button, and point IE6 to the XML file you just saved.

For more information on custom XML Import files for IE6, see these documents from Microsoft:

You can find a set of pre-made Custom XML Import Files on this web site:


This page arose out of a long discussion thread on IE6 at DSLR. You can read that thread in its entirety here:

Thanks to R2 and all the other readers of DSLR who have patiently reviewed and commented on this page.


Date:     9/2/01
Revised:  9/4/01, 9/5/01, 9/7/01, 9/8/01, 
          9/9/01, 9/16/01, 9/20/01
Made By:  Eric L. Howes

  • Entries that are Red and are marked Popular! indicate web sites that are popularly recommended by other users, not necessarily the author of this web site. The author of this web site does not endorse or recommend web sites or services unless explicitly noted.

Home [frames]          Home [no frames]

2000-2003 Eric L. Howes