Recommended Settings for Internet Explorer and Outlook

Nummist Computer Consultants recommendeds these security settings for Internet Explorer (web browser), and Outlook or Outlook Express (email), in Windows XP or Vista. The following tips assume that you have already used Microsoft Update to keep Windows XP or Vista up-to-date (since updates add new security settings).

Security settings in Internet Explorer, and Outlook or Outlook Express, determine whether some potentially insecure features are disabled, require user confirmation, or are automatically allowed. The right settings for your computer will depend on which features the users require, and whether the users have the knowledge and patience to make case-by-case judgments about allowing or disallowing potentially insecure features. The following is a description of our normally recommended security settings. Taking a few minutes to customize your security could save you a lot of time and problems in the future!

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> General tab -> click Settings button ("Temporary Internet files" section):

  • You should set the "Amount of disk space to use" to 100MB or less. Storing more than 100MB of downloaded web pages is usually a waste of disk space.

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Security tab -> single-click Internet icon -> click Custom Level button:

  • .NET Framework-reliant components:
    • Run components not signed with Authenticode: Disable
    • Run components signed with Authenticode: Disable
  • ActiveX controls and plug-ins:
    • Automatic prompting for ActiveX controls: Disable
    • Binary and script behaviors: Enable
    • Download signed ActiveX controls: Disable
    • Download unsigned ActiveX controls: Disable
    • Initialize and script ActiveX controls not marked as safe: Disable
    • Run ActiveX controls and plug-ins: Enable
    • Script ActiveX controls marked safe for scripting: Enable
  • Downloads:
    • Automatic prompting for file downloads: Disable
    • File download: Disable
    • Font download: Disable
  • Java VM (may not be present):
    • Java permissions: Disable Java
  • Miscellaneous:
    • Access data sources across domains: Disable
    • Allow META REFRESH: Enable
    • Allow scripting of Internet Explorer Webbrowser control: Disable
    • Allow script-initiated windows without size or position constraints: Disable
    • Allow Web pages to use restricted protocols for active content: Disable
    • Display mixed content: Disable
    • Don't prompt for client certificate selection when no certificates or only one certificate exists: Disable
    • Drag and drop or copy and paste files: Disable
    • Installation of desktop items: Disable
    • Launching programs and files in an IFRAME: Disable
    • Navigate sub-frames across different domains: Disable
    • Open files based on content, not file extension: Disable
    • Software channel permissions: High Safety
    • Submit non-encrypted form data: Enable
    • Use Pop-up Blocker: Enable
    • Userdata persistence: Disable
    • Web sites in less privileged web content zone can navigate into this zone: Prompt
  • Scripting:
    • Active scripting: Enable
    • Allow paste operations via script: Disable
    • Scripting of Java applets (may not be present): Disable
  • User Authentication:
    • Logon: Prompt for user name and password

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Security tab -> single-click Local intranet icon -> click Sites button:

  • Uncheck all the check boxes.
  • Click the Advanced button. For each web site listed, click it, then click the Remove button.

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Security tab -> single-click Trusted sites icon -> click Custom Level button:

  • Except where specified below, use the same settings as above for the Internet icon.
  • ActiveX controls and plug-ins:
    • Download signed ActiveX controls: Prompt
  • Downloads:
    • File download: Enable

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Security tab -> single-click Trusted sites icon -> click Sites button:

  • Require server verification (https:) for all sites in this zone: unchecked
  • Add sites that you trust enough to permit them to install new software on your computer. To ensure the correct functioning of Microsoft Update, you should at least add:
    • *.microsoft.com

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Security tab -> single-click Restricted sites icon -> click Custom Level button:

  • .NET Framework-reliant components:
    • Run components not signed with Authenticode: Disable
    • Run components signed with Authenticode: Disable
  • ActiveX controls and plug-ins:
    • Automatic prompting for ActiveX controls: Disable
    • Binary and script behaviors: Disable
    • Download signed ActiveX controls: Disable
    • Download unsigned ActiveX controls: Disable
    • Initialize and script ActiveX controls not marked as safe: Disable
    • Run ActiveX controls and plug-ins: Disable
    • Script ActiveX controls marked safe for scripting: Disable
  • Downloads:
    • Automatic prompting for file downloads: Disable
    • File download: Disable
    • Font download: Disable
  • Java VM (may not be present):
    • Java permissions: Disable Java
  • Miscellaneous:
    • Access data sources across domains: Disable
    • Allow META REFRESH: Disable
    • Allow scripting of Internet Explorer Webbrowser control: Disable
    • Allow script-initiated windows without size or position constraints: Disable
    • Allow Web pages to use restricted protocols for active content: Disable
    • Display mixed content: Disable
    • Don't prompt for client certificate selection when no certificates or only one certificate exists: Disable
    • Drag and drop or copy and paste files: Disable
    • Installation of desktop items: Disable
    • Launching programs and files in an IFRAME: Disable
    • Navigate sub-frames across different domains: Disable
    • Open files based on content, not file extension: Disable
    • Software channel permissions: High Safety
    • Submit non-encrypted form data: Prompt
    • Use Pop-up Blocker: Enable
    • Userdata persistence: Disable
    • Web sites in less privileged web content zone can navigate into this zone: Disable
  • Scripting:
    • Active scripting: Disable
    • Allow paste operations via script: Disable
    • Scripting of Java applets (may not be present): Disable
  • User Authentication:
    • Logon: Prompt for user name and password

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Privacy tab -> click Advanced button:

  • Override automatic cookie handling: checked
  • First-party Cookies: Block
  • Third-party Cookies: Block
  • Always allow session cookies: checked

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Privacy tab -> click Sites button:

  • If you want a site to remember your preferences or selections, you may need to allow cookies for that site. Cookies are often required for legitimate sites that require you to login with a username and password, such as legitimate online shopping and banking sites. Here you can allow or block cookies on a per-site basis. Sites in the Trusted sites zone (which you previously configured) are automatically allowed.
  • If you have a Microsoft .NET Passport, you may need to allow passport.com and passport.net.

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Privacy tab -> check Block pop-ups and click Settings button (Pop-up Blocker section):

  • Show Information Bar when a pop-up is blocked: checked
  • Filter Level: High or Medium
  • You can add web sites from which you want to allow pop-up windows. You should at least add:
    • *.microsoft.com

In Internet Explorer, on the menu bar, choose: Tools -> Internet Options -> Advanced tab:

  • Browsing:
    • Automatically check for Internet Explorer updates: unchecked (this functionality was replaced by Microsoft Update)
    • Enable Install on Demand (Internet Explorer): unchecked
    • Enable Install on Demand (Other): unchecked
    • Notify when downloads complete: checked
    • Use Passive FTP: checked
  • Search from Address bar:
    • When searching: Do not search from the Address bar
  • Security:
    • Allow active content from CDs to run on My Computer: unchecked
    • Allow active content to run in files on My Computer: unchecked
    • Allow software to run or install even if the signature is invalid: unchecked
    • Check for publisher's certificate revocation: checked
    • Check for server certificate revocation: checked
    • Check for signatures on downloaded programs: checked
    • Do not save encrypted pages to disk: checked
    • Empty Temporary Internet Files folder when browser is closed: checked
    • Enable Integrated Windows Authentication: unchecked
    • Enable Profile Assistant: unchecked
    • Use SSL 2.0: unchecked
    • Use SSL 3.0: checked
    • Use TLS 1.0: checked
    • Warn about invalid site certificates: checked
    • Warn if changing between secure and not secure mode: checked
    • Warn if forms submittal is being redirected: checked

In Outlook Express, on the menu bar, choose: Tools -> Options -> Security tab:

  • Select the Internet Explorer security zone to use: Restricted sites zone
  • Warn me when other applications try to send mail as me: checked
  • Do not allow attachments to be saved or opened that could potentially be a virus: checked

In Outlook, on the menu bar, choose: Tools -> Options -> Security tab:

  • Zone: Restricted sites