참고자료 : http://www.phdcc.com/xpsp2.htm

How Windows XP Service Pack 2 and Vista affect web pages running locally on your computer


Last modified: 19 December 2006.   Any comments or suggestions - please fill in form below. Chris Cant.
Chris is now available for paid-for consultation, software development or web programming - contact us using the form below.

Web pages with active content running locally
XP SP2, Vista and equivalent affect any web page with "active content" running locally on your computer in Internet Explorer.  Many people provide web page information on CD or DVD, provide product documentation as web pages, or work with web pages locally before putting them online.  Even very innocuous JavaScript is deemed to be active content and a user will have to agree to very worrying warning messages to see a page - or change a security setting.  Some valid active content may not work even if the user has enabled active content for the current window.

See below for screen shots of SP2 when trying to run a Java applet locally.

In all the following text, SP2 refers to Windows XP with Service Pack 2 or later, Windows Vista and equivalent Windows operating systems.

Web pages on your local computer

Windows XP SP2 and Vista Introduction

Windows XP SP2, Vista and equivalent include improvements to Internet Explorer security that are intended to help most users by stopping local web pages that contain "active content" from accessing your computer maliciously. "Active content" includes JavaScript, Java applets and ActiveX controls.

Users and developers of CDs containing our FindinSite-CD applet - please read our How to run FindinSite-CD in XP SP2 instructions.

Changes for web pages running locally

By default in SP2, Internet Explorer will not let any active content run in web pages that run locally (on the Local Machine, ie My Computer). The user will see a warning message in the new yellow Information Bar - clicking in there will let the user "Allow Blocked Content" - after agreeing to another dire warning.

The likely effect of this is that most users will not let local active content run, even if it is only mundane JavaScript to run a menu system.

The browser is becoming the standard interface for many applications, including those that run locally. Many people provide web page information on CD or provide product documentation as web pages. In addition many people write and test web pages locally.

Although Microsoft have provided two options to enable local content, these new security restrictions make life much harder for people who create or view content that is used locally. Most people will not want to reduce their default security settings for fear of having their computers corrupted.

Information Bar introduction box
The Information Bar is aptly named - it bars you from viewing information locally...

Why are Microsoft doing this?

We understand that the main problem is online web sites that find security holes so as to be able to run code locally. Code that runs locally used to be able to damage your system because it ran with the highest privileges. So - rather than block up the security holes - Microsoft have decided to clamp down on all local web page active content so that the user has to agree to various dire warnings before letting it run.

All local web pages (including that on CD) are currently affected. There are ways to turn off this security feature (as described below). However if turned off to make ordinary local content run, then users are susceptible to the same security holes as before.

We also posted a letter to Microsoft UK on 1 July 2004, but to date have had no reply.
We tried to highlight this issue with Microsoft in the SP2 preview forums - to no avail: the advice was simply to adapt to the new situation, ie the decision had been made and it was not going to change. Perhaps Microsoft thinks that the problems are a price worth paying to make online surfing safe. Or perhaps they have not realised that many people view content locally. One of our big users in the USA produces 800,000 CDs every April - the CDs will not run in the default SP2 settings. We have lost another order because the client could not tell their users to change their security settings.

What do Microsoft suggest?

These seem to be Microsoft's suggestions... but they are not good enough... (see below for full details)
  1. Turn off local machine security
    But: We have already had to refund an order because "we don't have control over our end-users machines. We can't simply tell them to change their settings."

  2. Give all pages "the Mark of the Web"
    But: You cannot seriously expect all pages to have this added. And links to other file types don't work.

  3. Wrap your application in an HTA file
    But: Superficially this isn't too awful a job, but why does the world have to do this? (Existing local content will not be fixed.)
Microsoft information pages:

Other options

The simplest option is to use other browsers yourself or within your organisation. However it may not be sensible to say to your users that your content will not work if viewed in Internet Explorer.

If you are producing information on CD or DVD, then active content warnings can be avoided using our software:

  • ShellRun which can be set up to turn off warnings.
  • Dynamic-CD software which runs a CD-based internet server.
  • Suggestion 1 for Microsoft

    Come on Microsoft, you can do better than this...

    Do the decent thing... block up the security holes... don't ruin locally viewed content.

    Your current way of solving the problem of malicious "cross-zone access" by making the local zone unusable is - need I say it - going to make the local zone unusable. And yes, there are lots of people who provide content to be viewed locally, not just information on CD but product documentation and people authoring web content locally before putting it online.

    The browser is the "interface of choice" for many developers - many applications nowadays that do not need an online connection are none-the-less written as web applications. These applications will not now work when viewed by an out-of-the-box XP-with-SP2.

    Suggestion 2 for Microsoft

    Make the local machine zone equivalent to the Internet zone. A lot of pages work fine when viewed online under SP2, but do not work when viewed locally. Pre-SP2 the local zone was less restricted than the Internet zone - why make it more restricted in SP2?

    Suggestion 3 for Microsoft

    If you cannot be bothered to handle security properly, then at least make the "Allow active content from CDs" option on by default.

    SP2 default security

    As described above, any locally viewed web page that contains active content will be stopped from running.
    1. At the top of the page in the Information Bar you will see this warning:
      To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options...
      To enable active content, click on this message and then select:
      Allow Blocked Content...
      Example showing Internet Explorer trying to run a Java applet locally:

      Active content warning for a web page containing a Java applet

    2. You will also be asked to OK this message:
      Allowing active content such as script and ActiveX controls can be useful, but active content might also harm your computer.

      Are you sure that you want to let this file run active content?


      Enabling active content on Local Machine warning
      After all this, the active content should run. Note that the active content is only enabled for this Internet Explorer window. If you close this window and come back again you will have to go through the same process again. However, all further active content in this window is enabled (unless you navigate to non-HTML pages such as XML).

      SP2 new security options

      Microsoft have provided new options to turn off the security on local files to let active content run, as shown on the right.

      To run active content on all CDs without warnings, you must change a security setting in Internet Explorer:

      • Open menu Tools+Internet Options+Advanced tab
      • Scroll down to the Security section.
      • Make sure that "Allow active content from CDs to run on My Computer" is checked.

      If you want to run active content in all files on your hard disk or similar, then you need to:

      • Make sure that "Allow active content to run in files on My Computer" is checked.

      Note: With "Allow active content from CDs" selected, I have found that the Information Bar sometimes still appears saying that it has restricted active content, even though the content runs OK.

      The Internet Explorer Internet Options Advanced options settings needed to run FindinSite-CD

      Are the new security options enough?

      Many people view web content on local files in hard disk and on CD. Some will be generating content, while most will simply be viewing content. All these people will be affected by SP2.

      Are the new security options enough to make these people happy? My guess is that the answer is NO.

      Many people (and their system administrators) will be keen to reduce security intrusions as much as possible. Any loosening of the security settings will therefore not be acceptable.

      One of our customers has already requested a refund on a software licence purchase because "we don't have control over our end-users machines. We can't simply tell them to change their settings."


      Technical details

      This section contains registry information - only use if you feel happy working with the registry editor. Make a backup using File+Export.

      The two "Allow active content" security settings are stored in the registry. Lockdown is ON if the setting is NOT checked.

      Registry key/value Type Lockdown ON Lockdown OFF
      HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ FeatureControl\ FEATURE_LOCALMACHINE_LOCKDOWN\ iexplore.exe DWORD 1 0
      HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ FeatureControl\ FEATURE_LOCALMACHINE_LOCKDOWN\ Settings\ LOCALMACHINE_CD_UNLOCK DWORD 0 1

      Windows uses different "zones" to describe web content, as seen in Tools+Internet Options Security tab, ie "Internet", "Local Intranet", "Trusted sites" and "Restricted". The local "My Computer" zone icon is normally hidden (see below to enable it).

      There are lots of permission values associated with each zone, ie all the options shown if you click on the "Custom level" button.

    3. Microsoft: URL Action Flags
    4. Microsoft: Description of Internet Explorer security zones registry entries

      If Local Machine Lockdown is ON then the "My Computer" permissions are taken from this registry location:

    5. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Lockdown_Zones\0

      If Local Machine Lockdown is OFF then the "My Computer" permissions are taken from this registry location:

    6. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones\0

      The "Allow active content from CDs" setting also switches between these registry locations for web pages on CD.

      When the "My Computer" zone icon is enabled, setting custom levels only changes the permissions that apply when Local Machine Lockdown is OFF (ie in ...\Zones\0). You can change the settings for when Local Machine Lockdown is ON, but you can only do this using the registry editor.

      If Lockdown is ON but you change the zone settings (in ...\Lockdown_Zones\0), then an Information Bar warning is shown, but the active content is displayed correctly.


    7. Showing the "My Computer" security zone

      If active content is enabled on My Computer (ie Local Machine Lockdown is OFF) then you might want to adjust the permissions, ie actions that can be taken safely. To make adjustments, you will first have to enable the "My Computer" zone icon in the Internet Explorer Tools+Internet Options Security tab.
    8. Microsoft: How to Enable the My Computer Security Zone in Internet Options

      There are two ways to make the "My Computer" zone icon visible:

      • by clicking on this link - EnableMyComputerIcon.reg
      • or by changing this registry location from hexadecimal 21 to hexadecimal 47:
        HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones\0\Flags

      Screenshots:

      When enabled, the 'My Computer' icon appears in Internet Options - Security tab

      File download security warning
      Registry editor change confirm request
      Registry editor change done

      Thanks to Marc Castles and Jetski.


    9. New web pages viewed locally - the "Mark of the Web" solution

      Microsoft documentation suggests this as a solution for authors - you must change every single one of your web pages. The idea is that you give each web page a "Mark of the Web". Then Internet Explorer treats the page as if it were being viewed in the Internet zone.
      In an experiment with a few trial web pages, I found that this technique was successful if I remembered that every single page has to have "the Mark". Links from Mark-ed pages to unMark-ed pages silently do not work (however hard you click...). Some sort of indication of the problem would be nice... and an option to go there as well.

      A similar problem exists with links to other types of file. A test HTML file had a link to a PowerPoint presentation. The link did not work if the HTML file had the Mark. The link still did not work if I set the "Hyperlink Base" for the presentation to match the HTML Mark. Links to other file types is very common on CD so many CDs will fail to run correctly if they are given the Mark.
      (To do: check what happens with PDFs that have been given a matching Base URL.)
      Many types of file do not have the ability to set a Base URL, so they will be unshowable.

      This technique did make our FindinSite-CD Java applet work without any problems. However - as above - if any result page did not have a "Mark of the Web" then FindinSite-CD could not show it.

      To give a web page a "Mark of the Web" add in "saved from url" comment text at the start of the file, as described by Microsoft's Mark of the Web documentation. There are two possible incantations:
      1. <!-- saved from url=(0014)about:internet -->
      2. <!-- saved from url=(0020)http://www.phdcc.com -->

        The number in brackets is the decimal length of the string that follows it. The line must end in CR LF.

      Microsoft: are you really expecting all the world to add "the Mark" to their pages so that they can be viewed offline?

      Another problem:
      My guess is that a lot of people - like me - write ordinary static web pages locally and test them locally; however testing locally is not going to be possible.
      What do web editor programs do - do they add in "the Mark"?

      Microsoft's "IEBLog" on the Mark of the Web.


      Another possible workaround: HTAs (HTML Applications)

      Another suggestion is to use an HTA (HTML Application) wrapper round your local content. (Microsoft documentation of HTAs). An HTML Application works exactly like Internet Explorer except that all the normal menu and toolbar options are missing - which makes ordinary navigation difficult.

      HTML applications are supported by Windows Internet Explorer and Windows Opera but not by Windows Navigator/Mozilla. (Not tested on other platforms yet.)

      The idea is that you provide one additional file, eg called index.hta that contains the following:

      <HTML>
      <HEAD>
      <TITLE>My HTML Application</TITLE>
      <HTA:APPLICATION ID="oMyApp"
          BORDER="thin"
          INNERBORDER="no"
          SCROLL="no"
          CAPTION="yes"
          SHOWINTASKBAR="yes"
          SINGLEINSTANCE="yes"
          SYSMENU="yes"
          WINDOWSTATE="normal">
      <STYLE> body {margin:0} </STYLE>
      </HEAD>
      <BODY>
      <IFRAME src="index.htm" application=yes width="100%"
      	height=100% marginwidth=0 marginheight=0
      	frameborder=0>Iframes not supported</IFRAME>
      </BODY>
      </HTML>
      Set the green text to an application title and your start web page.

      The final job is get Windows Internet Explorer users to view the index.hta, eg by providing a shortcut to it, or setting AutoRun to start it. The shortcut or AutoRun may not work if another browser is the default browser.

      Further information I have been told:

    10. You can use frames in the HTA instead of IFRAME if your application already uses frames. Depending on the web application, it may be necessary to add APPLICATION="yes" to all/some FRAME tags.
    11. If an HTA opens another window then this windows does not inherit the "application=yes" trusted status.

      9 March 2006: Problems running Java Applets in an HTA container:

      1. If the Microsoft VM is installed, then this is used when HTAs are run by MSHTA.EXE (even if the Sun VM is installed and is being used by IE). This was reported on 26-APR-2004 to Sun (Bug 5037845).

      2. Using Sun JVM 1.5.0_06, the MSHTA.EXE process keeps running after the HTA window has closed, assuming that a Java applet has been run within the HTA. MSHTA.EXE consumes all available cycles (an infinite loop?), ie the process runs at CPU 99% in the Windows Task Manager Process tab. Reported to Sun as a bug, 9 March 2006.

        There is a work around for this problem (thanks to John, see below - 10 Apr 2006). The idea is to use a JavaScript handler for the "onbeforeunload" event to remove the Java applet from the page when the page unloads. This partial example removes the "fisCD" applet from its container "div1" when the page is unloaded:

        ..
        <script language="JavaScript" type="text/JavaScript">
        function unloadFisCD()
        {
          div1.removeChild(fisCD); 
        }
        </script>
        ..
        <body onbeforeunload="unloadFisCD()">
        ..
        <div align="center" id=div1>
        <applet mayscript="yes" height="250" width="630" CODE="fisCD" NAME="fisCD" ARCHIVE="fiscd.zip">
        ..

        Another possible workaround: Use ShellRun

        Another possible workaround for CDs and DVDs is to use the retail version of our ShellRun Windows software. ShellRun is an AutoRun tool for CDs and DVDs, ie it runs when a CD is inserted. It displays a message or menu while starting a browser etc to show your CD's first page. ShellRun has an option to enable Windows XP SP2+ Internet Explorer Active Content. If active content has to be enabled, ShellRun continues to run in the background until the CD is ejected, the system is shut down or the user logs off; at this point ShellRun restores the setting(s) to their original value(s).

        Another possible workaround: Use Dynamic-CD

        Another possible workaround is to use our Dynamic-CD Windows software. This is an internet web server that can be put on CD or run anywhere locally.

        If used on a CD or DVD, Dynamic-CD AutoRuns when inserted into a Windows computer. Dynamic-CD starts the default browser to display a start page at eg http://127.0.0.1:8080/default.asp. Dynamic-CD itself serves the pages, getting the data from the CD. The 127.0.0.1. address is usually deemed by Internet Explorer to be Intranet Zone, and will therefore allow most content to run.

        Dynamic-CD only runs in Windows. However Local Machine Lockdown is a problem only for Windows Internet Explorer, so users of other platforms can view the content normally.


        Another possible workaround: Use other browsers

        If you are just viewing or developing pages yourself locally and do not expect others to view them locally, then a simple solution is to use another browser. It is sensible anyway to check that your pages are viewable in other browsers.

        A variant on this approach is to view your pages locally through a local web server, such as IIS, Apache or Dynamic-CD.


        Comments:

        (We received many earlier comments by email. However the comment form for posting online was not provided so we cannot list them.)
        Manuel, Italy, Sun, 12 Jun 2005 09:12:33 (GMT)
        Great advice on this issue! I've been knocking my head on the PC for days, sysadmin had no idea on it. Thank you very much for these infos, hope MS will fix it up soon.
        Regards, Manuel

        John E Colman, Sun, 26 Jun 2005 22:34:17 (GMT)
        Some great tips here I hadn't found elsewhere. I hope that others also stumble onto your site.

        Graham, Sun, 03 Jul 2005 09:36:21 (GMT)
        I'm glad I found your site, some good tips available. I think microsoft will have to retract this security issue sooner or later, as most marketing catalogues will eventually be produced on CD. We need to lobby them relentlessly.

        arul, Mon, 04 Jul 2005 16:55:43 (GMT)
        I've been unable to run JavaScript on my IE6 (winXP). Now I have a clearer picture. Thanks a lot for this page. Keep up the good work!

        Martin Modin, Thu, 14 Jul 2005 21:19:37 (GMT)
        This is great information. I hope it's OK that I blogged about this "http://tinyurl.com/7oboq" if not let me know and I'll remove it.

        Peter Zelei, Mon, 25 Jul 2005 13:28:42 (GMT)
        you saved my life... thank you very much

        amit, Fri, 29 Jul 2005 14:17:36 (GMT)
        thanx gratefully

        Ed, Tue, 02 Aug 2005 14:35:15 (GMT)
        Another workaround - Use Desktop Explorer to map a drive letter to a folder (like My Web) on the C: Drive and use the path to that drive to open the files. The only trick is the path must be in the format: \\PCIdentity\C$\PATH. When files are opened with the new drive letter, they are treated as if they are not on the local drive.

        For my browser home page, I have a web page with lots of pull-down menus using scripts that automatically go to the selection when you release the mouse button. Those simple scripts were "flagged" as suspect and I was not willing to right-mouse-click and over-ride every time I launched a browser window. I first tried placing the file on a company file server that was mapped to another drive letter and it didn't come up with any alerts. So the next step was to assign a drive letter to the folder where my files are and that worked.

        big boy, Wed, 10 Aug 2005 10:02:47 (GMT)
        I was at a loss to figure out what was going, why didn't microsoft have the decency to imform me about this problem, I have spent money on stuff I had been reading for months then suddenly I began to get this content message, now I can't continue this net course that cost me good money until microsoft fixes this problem, I tried going through the steps but still I can't seem to figure it out, guess I'll just have to keep trying or wait for MS to get their shite together !

        davidb, Wed, 10 Aug 2005 16:13:24 (GMT)
        As a technical writer, this was an incredibly frustrating set of issues to learn about. I now have a process whereby I have to manually add the 'mark of the web' to every HTML page I create for HTML Help. And my company had to change our products' installation procedures by adding an appropriate registry entry so that HTML Help can be read from CD or any mapped drive other than C: -
        [HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ HTMLHelp\1.x\ItssRestrictions] "MaxAllowedZone"=dword:00000001

        Microsoft KB 896054: You cannot open remote content by using the InfoTech protocol

        Peter Zaremba, Sat, 03 Sep 2005 19:50:55 (GMT)
        Thanks for creating this page. I was going crazy trying to figure out a work around for active content run locally. After reading your page I have a couple of ideas. Thanks again.

        Bill Claxton, Tue, 06 Sep 2005 08:54:08 (GMT)
        Ed, thank you so much! I've tried the HTA route and don't much like it - for one thing, the application environment doesn't look like a standard browser window.

        The best approach is your tip, which not only works, it requires changing only the startup - no web content needs to change at all. I customized my startup script to detect XP and handle other potential problems. Following is the result.

        Normally I run an HTML page 'index_cd.htm' when the CD starts. Now I launch this batch script in my 'autorun.inf' (using 'start /min share_cd.bat'), and it works marvellously. @echo off
        :detection
        ver | find /i "Windows XP" > nul
        if not errorlevel 1 goto share_drive
        start index_cd.htm
        goto end

        :share_drive
        if "%computername%" == "" goto err1
        net share cd_rom /d
        for %%d in (c d e f g h i j k l m n o p q r s t u w x y z) do if exist %%d:\share_cd.bat net share cd_rom=%%d:\ /users:1 /r:"This CD-ROM is temporarily shared."
        if errorlevel 3 goto err2
        start \\%computername%\cd_rom\index_cd.htm
        goto end

        :err1
        echo Error - unable to locate 'computername' environment variable.
        goto end

        :err2
        echo Error - unable to share CD as a network drive. This action requires Win2000 or WinXP.
        goto end

        :end
        echo.
        echo Program completed successfully.

        Addendum: While 'start' can be used in the batch file, it fails in the 'autorun.inf' on XP and Win2000. All along I've been using 'shellexecute', but I wanted the batch script to run in minimized mode. Fortunately I found a new shareware 'shellexecute' that supports running batch files in minimized mode: ShellExecute

        The syntax for the autorun file using this utility is: "open=shellexecute /f:share_cd.bat /r:min".

        ShellExecute launches the batch file properly in XP, and using the 'minimize' option you can eliminate the annoying 'DOS box flash'.

        [Editor's note: phdcc's retail ShellRun software can also launch a batch file in a minimised DOS box]

        elviejo, Sat, 24 Sep 2005 18:30:22 (GMT)
        Also I had small javascript and I want to test it. So every time I opened explorer to test it will opene the "Informative Bar" to tell me that this was dynamic content. So I had to tell it that I really wanted to open it.
        But the most annoying, yes there is more, is that when ever I changed the local webpage to debug it, Explorer closed by itself, as simple as that you change a local webpage, explorer closes.
        This for a hand made webdeveloper is totally unacceptable, arggh!

        Christopher Hill, Thu, 29 Sep 2005 12:55:23 (GMT)
        Re the comments from Ed and Bill Claxton about sharing the CD drive and connecting to it to fix the problem. If you do this you are opening up a whole can of worms because it means that anyone on your network can view the contents of your CD drive. So if you put a CD with confidential information on anyone can see what it is on it! Additionally, if you're not running as Administrator or Power Users on your workstation (which many corporate and educational users won't be) you won't be able to share the drive anyway, so it won't work.
        In short - it's a bad idea! Don't do it!

        brian, Sat, 01 Oct 2005 18:28:55 (GMT)
        wow all this info, for the most of us including me we dont understand half of it,if any of it, i am not thick i use html and java script for making web pages, but i do know that the blocked content popup box is a right pain microsoft should give us a facilty to turn it off.
        come on microsoft you are dealing with normal people here we aren't all computer engineers you know

        Stacey, Wed, 05 Oct 2005 12:14:21 (GMT)
        This page was so helpful!  I couldn't figure out why my users were getting the security message but I have a clear understanding now.  Thanks.

        Paul Baker, Tue, 18 Oct 2005 20:27:09 (GMT)
        Although the mark of the web sorts my problem for htm(l) pages, if I save the page as a web archive (mht) the mark is not respected in the resulting mht file. This is despite Microsoft's assurances to the contrary. What seems to happen is that the html is "re-formatted" when the save occurs and the MOTW comment is no longer on its own line but instead shares a line with, say, a tag. Whether this is the problem or not, the MOTW is certainly ineffective in the mht file.

        Mario Schmalzl, Fri, 21 Oct 2005 17:02:44 (GMT)
        Great approach, but still it doesn't work, if the zone cannot be defined clearly.
        For so called "mixed zones" Sites (as in MS-CRM 3.0) you cannot assign a site and/or set security permissions.
        Anyone an idea on that?

        stephen harris, Tue, 25 Oct 2005 16:32:11 (GMT)
        Thank you, very useful and helpful suggestions, I have designed a few medical calculation web pages for distribution to clinicians who cannot access the Hospital Intranet. Most are using Win 2k, but a few are using XP. I will need to experiment to see which is the best option.

        Iris, Thu, 03 Nov 2005 23:23:49 (GMT)
        This is great info. I have a puzzling scenario though. None - I mean absolutely none - of may applications can open help at all. When I try to open chm files directly, it cannot open mk:@MSITStore:C:\pathto\filename. I have regsitered the hlpctrl.ocx, as advise somewhere else. I have tried to enale the ms-its protocol, no luck. All the help files are on my local machine and the apps run locally, so I shouldn't have this issue. Right?
        Any insight would be greatly appreciated!!

        Nick, Fri, 18 Nov 2005 00:26:20 (GMT)
        Thankyou very much - The HTA work around worked for my CD

        Alex Garcia, Wed, 30 Nov 2005 17:32:10 (GMT)
        This is great info. Thank you...

        Tony, Fri, 02 Dec 2005 05:37:30 (GMT)
        The Dynamic-CD program works great. Other than disabling security -- which is not something I think prospective customers would be interested in doing -- nothing else seemed to work when linking to PDF documents. Thank you for this fantastic recourse!

        Cheong, ganpuzzle, Thu, 12 Jan 2006 01:27:39 (GMT)
        Excellent article. We should all revolt against MS. I am seriously affected because I sell java applet puzzles. Guess what, lately I have a few requests for refund thinking that it is my software that is faulty. Microsoft is trying to kill Java applet, that is for sure.
        Do I have a legal case against Microsoft for preventing me from making a living?

        Michael Hall, Sat, 21 Jan 2006 00:34:11 (GMT)
        I have built a multimedia app in .html. I have put the generic MOTW on every page. The app works in IE with XP SP 2(in Internet Zone) but, the apps performance is so slow it is almost not usable. I have found however, that if I establish a connection to the internet (while running the app locally) then the apps performance is greatly improved. Can you explain why performance is improved by connecting to the internet and also if there are any additional workarounds I can try?

        John Page, Fri, 3 Feb 2006 11:20:43 -0700
        Good stuff. I am using the Mark of the Web solution, but a couple of comments:
        1. It does not appear to verify the url in the tag. I have found you can put any garbage (non-existent) url there and it still works so long as the byte count is OK.
        2. In that case, what is to stop a malicious coder putting any mark in their code?

        Hans, Sun, 12 Feb 2006 11:37:10 (GMT)
        Thanx for sharing knowledge regarding sp2 security. It was definately worth the time reading this page.

        Mike, Sun, 12 Mar 2006 23:10:20 (GMT)
        This is outstanding information. Thanks so much for sharing!

        Chris, Fri, 07 Apr 2006 08:10:49 (GMT)
        Hello,
        Thanks for this article.
        But am i the only one seeing another big issue here or am i completely wrong.
        I added a MOTW with localhost as source to a web page and executed it locally. Sure enough it runs in the Intranet Zone context?!
        So, if malicious code manages to run locally, why don't they just use that MOTW to get around the new Locked-Down Local Machine Zone restrictions from MS?
        Scenario:
      3. Malicious webpage manages to execute a file locally.
      4. File has MOTW (localhost)
      5. File runs in Local Intranet zone and can do pretty much whatever it wants?
      6. Install add-ons, system-wide access if user is local admin etc etc.

        [Editor: I think the answer is that Local Machine Lockdown is primarily designed to stop injection attacks, ie a page on a web site that somehow sneakily manages to elevate its zone so that some JavaScript can operate with Local Machine privileges. Internet Explorer should not accept a MOTW at this stage, therefore the attack will fail because the local machine is locked down. As I said earlier, stopping unwanted zone elevation would be a better solution. ]

      7. John, Mon, 10 Apr 2006 01:07:26 (GMT)
        I encountered the problem you mention:
        "Using Sun JVM 1.5.0_06, the MSHTA.EXE process keeps running after the HTA window has closed, assuming that a Java applet has been run within the HTA."
        I found a workaround for my case is to do something like this in the document's onbeforeunload event handler:
        document.body.removeChild(document.getElementById("applet"));

        Todd, Sat, 29 Apr 2006 18:07:20 -0700
        I'm trying to make a local DHTML application that acts as a "shell" for intranet content running in a separate (eventually hidden) frame, and while I'm still stuck, this page has given me lots of food for thought. I've worked around the "Mixed Zone" message, but am still not able to get the onload event to fire when the intranet page loads or updates. There's apparently still something IE doesn't like...

        Henry, Wed, 3 May 2006 00:46:51 -0700
        Everyone should
        (1) Uninstall SP2, and
        (2) Start a class-action lawsuit against MS.
        I've taken care of step one....

        Mike Hutchinson, Sat, 6 May 2006 06:47:18 -0700
        Your Article on XP SP2 and making javascripts work locally
        Thank you so much. I have been going mad trying all the options in IE6 to make this work. I do a lot of javascript development work. Your article is not only a life saver but presented in simple clear straight forward helpful terms for people to understand with actual examples.
        WONDERFUL!
        Thank you again for taking the trouble ot clarify this

        Brian, Sat, 6 May 2006 11:26:00 -0700
        Thanks, your instructions helped tremendously on allowing blocked content from local files.

        Ali, Mon, 15 May 2006 23:26:30 -0700
        Thank you so much! I've tried the HTA route and I liked it so much! It works for for displaying the 1st HTML page only. When I treid to call another HTA file from the 1st HTML page (to display another HTML page) the security warning window displaying Run|Save|Cancel appeared. Do you have a workaround for this, too?
        Answer: You should be able to open another page simply by providing a normal link to the HTML file - the page will then open in the same HTA window. You do not need to wrap all pages in a HTA file.
        Thank you very much for your quick reply and assistance. Yes, I did just as you suggested. It works just like I wanted the first time!!

        Diana Ost, Tue, 16 May 2006 10:15:16 -0700
        Has anyone tried any of these applications with a WebHelp file generated from RoboHelp? Some of the solutions look too difficult for me, but others I might be able to manager. Problem is, the WebHelp file uses frames, with a TOC on the left and content called from the TOC link on the right.
        What does everyone suggest as the best solution for this problem?
        And, is there any way to register the ActiveX file and give it a certificate to make IE run on our intranet WITHOUT the yellow bar showing up??
        Thanks in advance!

        Scott, Thu, 08 Jun 2006 01:29:32 (GMT)
        Just wanted to thank you for this page. It was very clear and helpful.

        Steve, Wed, 21 Jun 2006 19:25:41 (GMT)
        Thanks for all the info. Another weaker suggestion for Microsoft would be to at least make the information bar smarter with one-click options to either accept blocked content or see more information. Three clicks starts to make wrist slashing seem like a reasonable alternative...

        Makarand Kurkure, Thu, 13 Jul 2006 16:11:45 -0700
        The content is very helpful. We had resolved Brio Query insight issue through this.

        lisa james, Mon, 31 Jul 2006 23:49:13 -0700
        I FOUND YOUR SITE VERY HELPFUL AND TO THE POINT,THANK YOU.

        jerry, Fri, 11 Aug 2006 08:05:49 (GMT)
        wounderfull information it helped me alot

        Steve, Sat, 12 Aug 2006 19:20:30 (GMT)
        I wanted to add my thanks for your really excellent information. This is the only proper explanation I've found, after much looking. Microsoft should be truly ashamed for their slapdash "fixes". You describe all aspects of this issue so well.

        JJ, Wed, 16 Aug 2006 08:53:03 (GMT)
        I've written VBS code to add in a Mark Of The Web to a .mht file that gets created dynamically and saved to the user's TEMP folder. The VBS utility then opens up the .mht file but I'm still getting the Information Bar. However, if I run the .mht file by double-clicking on it I don't get the Information Bar!
        So, is there some restriction with the MotW that prevents it from working if the web page is called from a VBS?

        Martin, Sun, 20 Aug 2006 17:38:17 (GMT)
        Thanks a bunch for setting up this informative website. It saved me a lot of time and aggravation trying to understanding the trouble I went through.
        For my personal means I adopted the suggested workaround solution via mapping the local Website \\PCIdentity\C$\PATH to some drive letter -> works like a breeze here.

        xicar, Sat, 26 Aug 2006 03:06:21 (GMT)
        I m having some troubles when i try to open a zip file directly from a cd/dvd a pop up open telling me that my security settings do not allow this action this happend when i double click on each zip file but if i do it from the tree in the windows explorer i can open it this begin to happend since i update framework.net with the last security patch
        can someone tell me how i change this security setting?
        thks

        mfouchi, Tue, 12 Sep 2006 18:51:34 (GMT)
        Thank you, thank you, thank you.
        Luckily I came across this site with the solution for Java hanging when closing an HTA process (mshta.exe)

        t'ni, Sat, 28 Oct 2006 23:05:10 (GMT)
        I bow down to you. This page has all the information I've been looking for for months. Your MOTW solution does seem to work, however I am not editing the 32767 pages I have on my computer.
        I always thought the the Local Intranet contained MY computer, glad now you've shown it to me.
        Since I already have drives subst'd for E:\Local Trusted Internet Pages\ and E:\Newly Downloaded and NotSo Trusted Internet Pages\ I'll give this mapping bit a try.
        Thank you from the bottom of my heart for such an informative article. I am so indebted to you after pulling my hair out for months since being forced to migrate to WinXP Pro SP2.

        William Pollard, Sun, 12 Nov 2006 10:45:58 (GMT)
        Thank you very much for that info on block content box, it was very useful in allowing my local intranet page to work the way I designed it to.

        Bill Wood, Wed, 13 Dec 2006 13:34:52 -0700
        Thanks for this page. Its so much clearer than the MS documentation. The only thing I would clarify is what happens when a page marked with MOTW is run in the locked down Local Computer Zone. Contrary to intuition, Local Computer Zone (and the locked down local computer zone which is used by IE) is considered the most privileged of the zones, even when it is locked down (as it is when using IE) to be effectively less privileged. So, MOTW can only switch to a less privileged zone such as Intranet or Internet zones. Using MOTW is also a way to test locally what Internet users would experience if you use the about:blank MOTW.
        Another method to mitigate this problem is to implement a simple shell program that hosts an IE active X control. Only IE is subject to lock down, other programs are not (yet)!

        Adam Gibson, Fri, 12 Jan 2007 22:14:12 (GMT)
        Thanks for the suggestions - fantastic - however - with Vista the above does not work - whats the workaround for this or have I missed something?
        Well I am trying to install Class server through our learning gateway at work - the instructions tell me to add "My computer" to the zone area by running the registry change, which I have done, but it still does not appear there so I cannot go any further.
        The gateway providers tell me that they have not made this compatible with ie7 (I think its an ie7 problem rather than Vista!) but it must just be a case of adding "My Computer" anyway?
        I wondered if there was another security setting that was preventing the registry change from happening although I am told that the change had been successful.

        Marko Aho, Thu, 26 Apr 2007 10:32:10 (GMT)
        For Vista, the reason for locally stored content not working may be, that the content was saved from email. Vista blocks these automatically, and you will have to enable the (e.g. the index.htm) content through the properties. The same applies to content sent through MS Messenger (even in XP).

        Yuriy Shikhanovich, Tue, 15 May 2007 19:34:05 (GMT)
        First of thanks for a great resource.
        I'd like to respond to a commenter asking about trying to make sure Robohelp works.
        What you basically have to do is to add application=yes to any frames and iframes (and just in case framesets, but I don't know if that's required)
        All I did was do a global replace on "<frame " => "<frame application=yes " (and the same for iframes and framesets. Make sure you do it in JS files as well as HTML files. I just hope there is no place where the syntaxes looks like this (according to my regex searches there is not in robohelp files): "<frame"+" src="+....
        I hope this is useful.

        Martin, Tue, 19 Jun 2007 04:40:19 (GMT)
        This is a great resource but I'm still stuck. I'm trying to launch a pdf in a separate window from web link but I get the activeX message "harm your computer" and business people don't want to go live with this message. I tried calling HTA file from HTML page and I get the "Do you want run..." message and again the business doesn't want to live with this message. Recommendations? Thanks.

        Bill Claxton, Fri, 20 Jul 2007 07:56:33 (GMT)
        Thought I would update you after rewriting my batch scripts to allow active content. I have described the latest scripts in my blog (http://learningweb.blogspot.com/2007/07/launching-active-content.html), and the scripts are available for download. These not only handle the IE security issue, but also the Flash player security issue. Hope it is helpful, and welcome any feedback.
        Incidentally, I think Christopher Hill's remark about network sharing exposing the content of confidential CDs is valid. But none of our CDs are confidential and in my experience this has been less of an issue than simply getting the bloody discs to run without calling tech support.
        Perhaps it's an exercise for the sysadmin to cleanup unused network shares <vbg>.

        rotimi Iziduh, Tue, 24 Jul 2007 05:38:33 (GMT)
        Hi Guys, Im trying to learn AJAX from scratch. The problem is sample ajax scripts do not run on my internet explorer browser and they return the error message "access denied".Is this because im running them without a server?or is there some other reason? here's the link to the sample page. http://www.webreference.com/programming/javascript/jf/column12/index.html thanks
        Answer: you do need to run it on a server

        Daniel, Wed, 07 Nov 2007 00:40:44 GMT
        You can tell the CD-ROM to open index.htm in it's own browser. For example, you can add HtmlViewer (www.cdmenupro.com, by Klaus Schwenk) to the CD-ROM. It's a simple browser that loads the java applet. You just need to change the CD_Conf.ini here:
        [INTRO]
        ENABLE=1
        PLAYER=_CURRENTDIR_\HtmlView.exe
        FILE=_CURRENTDIR_\index.htm
        If you need to open pdf files from inside FindInSite, Klaus also has pdfStart.

        John Dugdale, Wed, 21 Nov 2007 09:10:08 (GMT)
        I have a IE sidebar which shows web pages in a browser component. I still had to put the MOTW on all my pages to avoid the security warning. I can no longer use ajax requests which give the aforementioned access problem. Is there no way round this in the case of a DLL ?

        chetan sachania, Wed, 20 Feb 2008 11:30:32 GMT
        Hi rotimi Iziduh....
        yes if you run AJAX directly it will cause problem in IE7.
        for ex: c:/test/index.html <--- if you run html page with ajax like this it will cause Access denine ERROR.
        Solution:
        http://localhost/test/index.html
        you have to configure local site in ur IIS.

        BV, Mon, 09 Jun 2008 13:58:24 GMT
        Do you have a suggestion for flash? Adobe is following in MS footsteps, you can develop and run local, but when send it out on cd, it will fail. There are ways around similar to MS, but harder.
        [Editor: I haven't used Flash so I do not know sorry.]

        ben, Wed, 12 Nov 2008 00:09:54 GMT
        thank you so, so much for this. you've saved my neck in a dire emergency. this project's over, now i can flee back to the warm comfort of ubuntu. :P

        Greg Souders, Wed, 06 May 2009 07:13:53 GMT
        Thank you Chris Cant for producing this page. I was also struggling with this one. For me the issue arises when testing web pages locally before publishing. I think the best solution for this case is to Map a Network Drive as Ed suggests. Thanks Ed for your suggestion. This solution allows testing local web pages without compromising security. Local Machine Lockdown is bypassed if the pages are accessed via the Network Drive but still active while surfing the web.

        Ed states that you must use the following format \\PCIdentity\C$\PATH. PCIdentity is the computer name of your machine, C$ is a hidden Administrative share for the C: drive and PATH is the directory path to the folder containing you Web Site(s). This will work for XP Pro machines but not for XP Home. XP home does not create hidden Administrative shares. To overcome this, share the folder where your Web Sites(s) reside and Map your Network drive to the shared folder \\PCIdentity\SHAREDFOLDER.

        This approach will still bring up the information bar stating "Internet settings are now turned off by default...". However you can click on the bar and select "Don't Show Me this Again" to disable the message for good. The registry value that controls this message is "WarnOnIntranet" and is located here [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] The default value is 1 enabling the message, 0 disables the message.

        P?l Marosi, Mon, 27 Jul 2009 14:02:53 GMT
        Thanks for creating this outstanding page.

        Budhiram Barad, Tue, 05 Oct 2010 08:16:04 GMT
        THANK YOU

        jsllearner, Sat, 05 Feb 2011 04:09:41 GMT
        I am wondering if it is possible for this to be happening without any warnings being issued, no popup no yellow bar, nothing. I seem to be having this problem and have tried fixing my local machine/My Computer settings to allow scripting, MOTW (this did NOT work, making we wonder if this is really the problem, or if somehow the warnings are turned off???), resetting jscript.dll, resetting ie8. I dont want to be mucking around my registry until I am sure this is the problem, and especially if I am not sure it will fix it, as all I know is that no local files can run any javascript, even a simple alert. I am running vista business sp3, ie8.

        here is a sample code
        <!-- saved from url=(0014)about:internet -->
        <!DOCTYPE HTML>
        test

        could it be any simpler? all i see is the word "text".
        Later:
        well, I fixed the problem. turns out there was an extra entry in my internet zones registry which needed to be deleted (malware/flash?). go figure. see http://www.windowsbbs.com/windows-xp/96205-windows-services.html for what I did
        the full solution involves removing trojan fake alert using malwarebyte's antimalware to remove the rest of it.