------------------------------------- Collection of Custom XML Import Files for Internet Explorer 6.0 ------------------------------------- Last Revised: 9/28/01 -------- Contents -------- * Overview * Using custom XML Import Files - Installation - Uninstallation * Short List of Privacy-Friendly Custom XML Import Files * Advanced Menu of Custom XML Import Files * Always Allow Session Cookies * Assumptions/Rules * Limitations * DEFAULT.REG * More Info * Credits * Appendix: Complete Tables ~~~~~~~~ Overview ~~~~~~~~ This package contains three sets of custom XML Import files for Internet Explorer 6.0. These Import files can be used to customize IE6's handling of cookies in the Trusted and Internet zones (not the Restricted zone), giving users much more control over the rules IE6 employs to block or accept cookies. Please note that these XML Import files will override any Privacy settings currently selected on IE6's Privacy tab (both the slider as well as the "Advanced Settings..."). All of these XML files are editable with a simple text editor like Notepad. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using Custom XML Import Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ** Installation ** To use ("import") any of these custom XML Import files in Internet Explorer 6.0: 1) Open IE6's Internet Options Go to Tools >> Internet Options. 2) Go to the Privacy tab Within Internet Options, hit the Privacy tab. 3) Hit "Import..." Push the "Import" button on the Privacy tab. 4) Select the XML File to Import & Import It Use the Open-File dialog box that pops up to navigate to the folder where you've stored the XML file that you want to import. Select the XML file to import, then press "Open." 5) Wait for Confirmation You should receive this confirmation: "Your privacy settings file was successfully imported." Click "OK" to close the confirmation box. If you receive the following notice instead... "Your privacy settings file could not be imported." ...then there is a problem. Click "OK" to close the warning box and resolve the problem. 6) Close the "Internet Options" Box Click "OK" to close the "Internet Options" box. ** Uninstallation ** If you wish to restore the default Internet Explorer 6.0 Privacy settings, merge DEFAULT.REG into your Registry by double-clicking on it. DEFAULT.REG restores the default IE6 Privacy settings. For more information on DEFAULT.REG, see the "DEFAULT.REG" section below. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Short List of Privacy-Friendly Custom XML Import Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This "short list" of "privacy-friendly" XML Import files is designed for beginning users and users who are less experienced with Internet Explorer 6.0 and the range of Privacy options that it offers. These XML files allow users to exploit some of the new options in IE6 for handling cookies without requiring users to embroil themselves in the complexities of P3P policies and options. They also offer users the means to control IE6's handling of cookies in both the Internet and Trusted zones without burdening users with the job of learning every last configuration option that IE6 offers. The goals of this "short list" are twofold: simplicity and consistency. The XML Import files in this list make no distinction between sites with Compact Policies and those without -- all sites are treated the same within zones. Users who desire to make distinctions between sites with Compact Policies and those without Compact Policies should consider using XML files from the "Advanced List" (see below). This "short list" does allow users to distinguish between the Internet and Trusted zones, though the list also contains files which treat the Internet and Trusted zones identically. The "Short List" files can be found in the directory \SHORT. ***************************************** * Short List: (liberal session cookies) * ***************************************** Note: As settings for third-party cookies are always "reject" (both noPolicy and noRule in the Internet as well as the Trusted zone), third-party cookie settings are not included in the table below. For a complete version of this table, see the Appendix. Note2: alwaysAllowSession="yes" for both zones in first-party contexts only. This option unconditionally permits session cookies in first-party contexts. Third-party session cookies are still evaluated in the same way as persistent cookies. :----- ---------------------|---------------------: | XML ** Internet ** | ** Trusted ** | | File 1-noPolicy 1-noRule | 1-noPolicy 1-noRule | :----- ---------- -------- | ---------- ---------: 0e-s reject reject Session Session 0h-s reject reject First First 0j-s reject reject accept accept 4d-s Session Session First First 4f-s Session Session accept accept 7c-s First First accept accept Credit: The above "short list" of "privacy-friendly" custom XML Import files was originally generated by R2, a frequent poster at DSLR. It was refined with the help of CNZ, alotero, jbibe, and OzarkMan, all members of DSLR. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Advanced Menu of Custom XML Import Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These two sets of files are distinguished from one another by their handling of session cookies in first-party contexts. See the "Always Allow Session Cookies" section below for a more detailed explanation of the differences between these two main sets of files. The complete "Advanced" files can be found in the directories \SET1 and \SET2 respectively. Note: As settings for third-party cookies are always "reject" (both noPolicy and noRule in the Internet as well as the Trusted zone), third-party cookie settings are not included in either of the tables below. For a complete version of this table, see the Appendix. ***************************************** * Set # 1 (restrictive session cookies) * ***************************************** Note: alwaysAllowSession="no" for both zones in first-party and third-party contexts. This option forces ALL session cookies to be evaluated in the same way as persistent cookies. :----- ---------------------|---------------------: | XML ** Internet ** | ** Trusted ** | | File 1-noPolicy 1-noRule | 1-noPolicy 1-noRule | :----- ---------- -------- | ---------- ---------: 0a reject reject reject reject 0b reject reject reject Session 0c reject reject reject First 0d reject reject reject accept 0e reject reject Session Session 0f reject reject Session First 0g reject reject Session accept 0h reject reject First First 0i reject reject First accept 0j reject reject accept accept 1a reject Session reject Session 1b reject Session reject First 1c reject Session reject accept 1d reject Session Session Session 1e reject Session Session First 1f reject Session Session accept 1g reject Session First First 1h reject Session First accept 1i reject Session accept accept 2a reject First reject First 2b reject First reject accept 2c reject First Session First 2d reject First Session accept 2e reject First First First 2f reject First First accept 2g reject First accept accept 3a reject accept reject accept 3b reject accept Session accept 3c reject accept First accept 3d reject accept accept accept 4a Session Session Session Session 4b Session Session Session First <-- R2's 1st 4c Session Session Session accept 4d Session Session First First 4e Session Session First accept 4f Session Session accept accept 5a Session First Session First 5b Session First Session accept 5c Session First First First 5d Session First First accept 5e Session First accept accept 6a Session accept Session accept 6b Session accept First accept 6c Session accept accept accept 7a First First First First 7b First First First accept 7c First First accept accept 8a First accept First accept 8b First accept accept accept 9 accept accept accept accept ************************************** * Set # 2: (liberal session cookies) * ************************************** Note: alwaysAllowSession="yes" for both zones in first-party contexts only. This option unconditionally permits session cookies in first-party contexts. Third-party session cookies are still evaluated in the same way as persistent cookies. :----- ---------------------|---------------------: | XML ** Internet ** | ** Trusted ** | | File 1-noPolicy 1-noRule | 1-noPolicy 1-noRule | :----- ---------- -------- | ---------- ---------: 0a-s reject reject reject reject 0b-s reject reject reject Session 0b-s reject reject reject First 0d-s reject reject reject accept 0e-s reject reject Session Session * 0f-s reject reject Session First 0g-s reject reject Session accept 0h-s reject reject First First * 0i-s reject reject First accept 0j-s reject reject accept accept * 1a-s reject Session reject Session 1b-s reject Session reject First 1c-s reject Session reject accept 1d-s reject Session Session Session 1e-s reject Session Session First 1f-s reject Session Session accept 1g-s reject Session First First 1h-s reject Session First accept 1i-s reject Session accept accept 2a-s reject First reject First 2b-s reject First reject accept 2c-s reject First Session First 2d-s reject First Session accept 2e-s reject First First First 2f-s reject First First accept 2g-s reject First accept accept 3a-s reject accept reject accept 3b-s reject accept Session accept 3c-s reject accept First accept 3d-s reject accept accept accept 4a-s Session Session Session Session 4b-s Session Session Session First 4c-s Session Session Session accept 4d-s Session Session First First * <-- R2's 2nd 4e-s Session Session First accept 4f-s Session Session accept accept * 5a-s Session First Session First 5b-s Session First Session accept 5c-s Session First First First 5d-s Session First First accept 5e-s Session First accept accept 6a-s Session accept Session accept 6b-s Session accept First accept 6c-s Session accept accept accept 7a-s First First First First 7b-s First First First accept 7c-s First First accept accept * 8a-s First accept First accept 8b-s First accept accept accept 9-s accept accept accept accept **** Key: **** Term Description ---- ----------- 1-noPolicy first-party cookies with no Compact Policy 1-noRule first-party cookies with acceptable Compact Policies (i.e., for which no custom rule expressions are evaluated "true") accept accept cookies prompt prompt the user First forceFirstParty - Leash cookies so that they are only sent in a first- party context. Session forceSession - Convert persistent cookies (cookies that have an expiration time independent of when browser session cookie ends) to session cookies (cookies that expire when browser session cookie ends). reject reject (block) cookies * on "short list" (see Short List of Privacy-Friendly Custom XML Import Files) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Always Allow Session Cookies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These XML Import files are divided into two basic types: Restrictive Session: Every file of this type configures IE6 to evaluate session cookies in the Cookies same way as persistent cookies within both the Internet and Trusted zone as well as in both first-party and third-party contexts. Liberal Session: Every file of this type configures IE6 to accept session cookies within first- Cookies party contexts (in both Internet and Trusted zones) unconditionally. Third- party session cookies will still be evaluated in the same way as persistent cookies. The XML files in the "short list" are "liberal" with session cookies. Obviously, the options offered here for session cookies are fairly monolithic in that they do not distinguish between zones, nor do they ever free third-party session cookies from the standards of acceptance which govern persistent cookies. XML Import files need not be so uniform in their configuration of session cookies, however. The rules governing XML Import files do allow users to configure session cookies by zone (Internet or Trusted) as well as context (first-party or third-party). Users who desire less uniform settings for session cookies will have to custom edit the XML they intend to load. XML files are editable with a simple text editor like Notepad. ~~~~~~~~~~~~~~~~~ Assumptions/Rules ~~~~~~~~~~~~~~~~~ By no means do these XML Import files cover the whole range of possible configurations. To come up with this limited set of Import files, several rules or assumptions were used: 1. "Accept," "forceSession," or "forceFirstParty" is never needed for persistent third-party cookies in any zone. Persistent third-party cookies will always be "reject." 2. No single Internet zone setting can be more "liberal" its companion Trusted zone setting. 3. No combination of Internet zone settings can be more "liberal" than its companion combination of Trusted zone settings. 4. No zone's first-party "noPolicy" setting (any zone) should be more "liberal" than the first-party "noRule" setting in the same zone. 5. Third-party session cookies will never be freed from the standards which govern the acceptance of persistent cookies. 6. "Prompt" is not a useful or practical option for handling cookies on a regular basis (it is useful only for testing purposes). ~~~~~~~~~~~ Limitations ~~~~~~~~~~~ These XML Import files work only with Internet Explorer 6.0 (not with any previous version of IE or any version Netscape Communicator). Keep in mind that any Privacy settings that you import with an XML file supplied with this package will completely override any Privacy settings that you previously had in place. Thus, you cannot "mix and match" any of the XML files from this package by loading several in success- ion. If you wish to mix settings from one file with those from another, you will have to custom edit an XML file in a text editor like Notepad. Finally, please also note these XML files affect IE6's handling of cookies in the Internet and Trusted zones only. They do not change IE6's handling of cookies in the Restricted zone -- IE6 will always block cookies from sites in the Restricted zone -- nor do they change any of the other security and privacy options which can be set for each Security zone (e.g., ActiveX controls, Active scripting, Java applets, User-data persistence, et al). ~~~~~~~~~~~ DEFAULT.REG ~~~~~~~~~~~ Users who experiment with various XML Import files will undoubtedly want a way to restore IE6's default Privacy settings quickly and reliably. Included with this package is a .REG file which will restore all Privacy settings to their defaults: 1) The Privacy tab slider will be set to "Medium" for the Internet zone. 2) The Trusted zone will be restored to its default setting to "accept all" cookies. Additionally, the Trusted zone will be cleared of extraneous Registry values that are added when an XML Import file is used to customize cookie handling in the Trusted zone. To use the DEFAULT.REG file, simply double-click on it. You will receive a popup message... "Information in default.reg has been successfully entered into the Registry." ...indicating that the IE6's default Privacy settings have been restored to the Registry from DEFAULT.REG. If IE6 is open when you merge DEFAULT.REG into the Registry, close and re-open Internet Explorer in order to force IE6 to recognize the changes before continuing to use IE6. Note: When an XML Import file is used, IE6 adds two Registry values to the Trusted zone key which do NOT exist for that zone by default: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2: {AEBA21FA-782A-4A90-978D-B72164C80120} {A8A88C49-5EB2-4990-A1A2-0876022C854F} As .REG files cannot be used to delete Registry values (only entire keys), what DEFAULT.REG does is turn those values into zero-length binary values. Thus, the two values will remain in the Trusted zone key (2), but the values will have no data associated with them. ~~~~~~~~~ More Info ~~~~~~~~~ For more information on custom XML Import files for IE6, see these documents from Microsoft: Privacy in Internet Explorer 6: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpriv/html/ie6privacyfeature.asp How to Create a Customized Privacy Import File: http://msdn.microsoft.com/library/default.asp? url=/workshop/security/privacy/overview/privacyimportxml.asp XML Elements for Custom Privacy Policies: http://msdn.microsoft.com/library/default.asp? url=/workshop/security/privacy/CustomImportXML/customimportxml.asp ~~~~~~~ Credits ~~~~~~~ This page arose out of a long discussion thread on IE6 at DSLR: http://www.dslreports.com/forum/remark,1462205;root=security,1;mode=flat;start=0 Thanks to R2, CNZ, alotero, jbibe, OzarkMan, and all the other readers of DSLR who have patiently reviewed and commented on this ReadMe and provided ideas and suggestions for the XML Import files. ~~~~~~~~~~~~~~~~~~~~~~~~~ Appendix: Complete Tables ~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************** * Short List: (liberal session cookies) * ***************************************** Note: alwaysAllowSession="yes" for both zones in first-party contexts only. This option unconditionally permits session cookies in first-party contexts. Third-party session cookies are still evaluated in the same way as persistent cookies. ---- ----------------------------------------|----------------------------------------| XML ** Internet zone** | ** Trusted zone** | File 1-noPolicy 1-noRule 3-noPolicy 3-noRule | 1-noPolicy 1-noRule 3-noPolicy 3-noRule| ---- ---------- -------- ---------- -------- | ---------- -------- ---------- --------| 2b-s reject reject reject reject Session Session reject reject 2e-s reject reject reject reject First First reject reject 2i-s reject reject reject reject accept accept reject reject 3b8-s Session Session reject reject First First reject reject 3c19-s Session Session reject reject accept accept reject reject 3c22-s First First reject reject accept accept reject reject ***************************************** * Set # 1 (restrictive session cookies) * ***************************************** Note: alwaysAllowSession="no" for both zones in first-party and third-party contexts. This option forces ALL session cookies to be evaluated in the same way as persistent cookies. ---- ----------------------------------------|----------------------------------------| XML ** Internet zone** | ** Trusted zone** | File 1-noPolicy 1-noRule 3-noPolicy 3-noRule | 1-noPolicy 1-noRule 3-noPolicy 3-noRule| ---- ---------- -------- ---------- -------- | ---------- -------- ---------- --------| 0a reject reject reject reject reject reject reject reject 0b reject reject reject reject reject Session reject reject 0b reject reject reject reject reject First reject reject 0d reject reject reject reject reject accept reject reject 0e reject reject reject reject Session Session reject reject 0f reject reject reject reject Session First reject reject 0g reject reject reject reject Session accept reject reject 0h reject reject reject reject First First reject reject 0i reject reject reject reject First accept reject reject 0j reject reject reject reject accept accept reject reject 1a reject Session reject reject reject Session reject reject 1b reject Session reject reject reject First reject reject 1c reject Session reject reject reject accept reject reject 1d reject Session reject reject Session Session reject reject 1e reject Session reject reject Session First reject reject 1f reject Session reject reject Session accept reject reject 1g reject Session reject reject First First reject reject 1h reject Session reject reject First accept reject reject 1i reject Session reject reject accept accept reject reject 2a reject First reject reject reject First reject reject 2b reject First reject reject reject accept reject reject 2c reject First reject reject Session First reject reject 2d reject First reject reject Session accept reject reject 2e reject First reject reject First First reject reject 2f reject First reject reject First accept reject reject 2g reject First reject reject accept accept reject reject 3a reject accept reject reject reject accept reject reject 3b reject accept reject reject Session accept reject reject 3c reject accept reject reject First accept reject reject 3d reject accept reject reject accept accept reject reject 4a Session Session reject reject Session Session reject reject 4b Session Session reject reject Session First reject reject <-- R2's 1st 4c Session Session reject reject Session accept reject reject 4d Session Session reject reject First First reject reject 4e Session Session reject reject First accept reject reject 4f Session Session reject reject accept accept reject reject 5a Session First reject reject Session First reject reject 5b Session First reject reject Session accept reject reject 5c Session First reject reject First First reject reject 5d Session First reject reject First accept reject reject 5e Session First reject reject accept accept reject reject 6a Session accept reject reject Session accept reject reject 6b Session accept reject reject First accept reject reject 6c Session accept reject reject accept accept reject reject 7a First First reject reject First First reject reject 7b First First reject reject First accept reject reject 7c First First reject reject accept accept reject reject 8a First accept reject reject First accept reject reject 8b First accept reject reject accept accept reject reject 9 accept accept reject reject accept accept reject reject ************************************** * Set # 2: (liberal session cookies) * ************************************** Note: alwaysAllowSession="yes" for both zones in first-party contexts only. This option unconditionally permits session cookies in first-party contexts. Third-party session cookies are still evaluated in the same way as persistent cookies. ---- ----------------------------------------|----------------------------------------| XML ** Internet ** | ** Trusted ** | File 1-noPolicy 1-noRule 3-noPolicy 3-noRule | 1-noPolicy 1-noRule 3-noPolicy 3-noRule| ---- ---------- -------- ---------- -------- | ---------- -------- ---------- --------| 0a-s reject reject reject reject reject reject reject reject 0b-s reject reject reject reject reject Session reject reject 0b-s reject reject reject reject reject First reject reject 0d-s reject reject reject reject reject accept reject reject 0e-s reject reject reject reject Session Session reject reject * 0f-s reject reject reject reject Session First reject reject 0g-s reject reject reject reject Session accept reject reject 0h-s reject reject reject reject First First reject reject * 0i-s reject reject reject reject First accept reject reject 0j-s reject reject reject reject accept accept reject reject * 1a-s reject Session reject reject reject Session reject reject 1b-s reject Session reject reject reject First reject reject 1c-s reject Session reject reject reject accept reject reject 1d-s reject Session reject reject Session Session reject reject 1e-s reject Session reject reject Session First reject reject 1f-s reject Session reject reject Session accept reject reject 1g-s reject Session reject reject First First reject reject 1h-s reject Session reject reject First accept reject reject 1i-s reject Session reject reject accept accept reject reject 2a-s reject First reject reject reject First reject reject 2b-s reject First reject reject reject accept reject reject 2c-s reject First reject reject Session First reject reject 2d-s reject First reject reject Session accept reject reject 2e-s reject First reject reject First First reject reject 2f-s reject First reject reject First accept reject reject 2g-s reject First reject reject accept accept reject reject 3a-s reject accept reject reject reject accept reject reject 3b-s reject accept reject reject Session accept reject reject 3c-s reject accept reject reject First accept reject reject 3d-s reject accept reject reject accept accept reject reject 4a-s Session Session reject reject Session Session reject reject 4b-s Session Session reject reject Session First reject reject 4c-s Session Session reject reject Session accept reject reject 4d-s Session Session reject reject First First reject reject * <-- R2's 2nd 4e-s Session Session reject reject First accept reject reject 4f-s Session Session reject reject accept accept reject reject * 5a-s Session First reject reject Session First reject reject 5b-s Session First reject reject Session accept reject reject 5c-s Session First reject reject First First reject reject 5d-s Session First reject reject First accept reject reject 5e-s Session First reject reject accept accept reject reject 6a-s Session accept reject reject Session accept reject reject 6b-s Session accept reject reject First accept reject reject 6c-s Session accept reject reject accept accept reject reject 7a-s First First reject reject First First reject reject 7b-s First First reject reject First accept reject reject 7c-s First First reject reject accept accept reject reject * 8a-s First accept reject reject First accept reject reject 8b-s First accept reject reject accept accept reject reject 9-s accept accept reject reject accept accept reject reject **** Key: **** Term Description ---- ----------- 1-noPolicy first-party cookies with no Compact Policy 1-noRule first-party cookies with acceptable Compact Policies (i.e., for which no custom rule expressions are evaluated "true") 3-noPolicy third-party cookies with no Compact Policy 3-noRule third-party cookies with acceptable Compact Policies (i.e., for which no custom rule expressions are evaluated "true") accept accept cookies prompt prompt the user First forceFirstParty - Leash cookies so that they are only sent in a first- party context. Session forceSession - Convert persistent cookies (cookies that have an expiration time independent of when browser session cookie ends) to session cookies (cookies that expire when browser session cookie ends). reject reject (block) cookies * on "short list" (see Short List of Privacy-Friendly Custom XML Import Files) ------------------------------------------------- Date: 9/20/01 Revised: 9/21/01, 9/22/01, 9/23/01, 9/27/01, 9/28/01, 3/26/02 From: http://www.spywarewarrior.com/uiuc/ Made By: Eric L. Howes (eburger68@myrealbox.com) ------------------------------------------------- Copyright (c) 2000-2002 Eric L. Howes This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Some files distributed with this package may not be covered by the GNU GPL. Those files remain the property of their original owners and are covered by the licenses under which they were originally distributed. All trademarks are the property of their respective owners. You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.