C
Cal Learner
While looking for a different setting in the Zone security details
of IE6 Tools Tools->Options->Security I ran across "Open files based
on content, not file extension", and the option was set by default.
I thought, if an EXE file on a page is named *.gif, do I want to
"open"=run it as an EXE, or do I want the picture viewer to try to
handle it as a GIF. Please, let the picture viewer think it is a
corrupted GIF. So I clicked from Enable to Disable. I was in the
trusted sites zone at the time.
I got to wondering why this setting was added, and why enable was
the default. Maybe there was some security reason to not change it
that I did not understand. I was in the trusted sites zone at the
time.
Today I searched for that item and hit on
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx
That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone. That confirmed to me that the Disabled is the safer
setting. And if there is a place I need to select a safer setting,
it is in the Internet zone the way I set things up.
So my questions are, why have the setting ever Enabled?
Why is the default "Enable"?
What I would feel better about is some setting that says if the
filename and the file-type-based-on-content differ materially, warn
me or something. Here is an experiment that worries me. Make a copy
of a safe .exe file, but name it test.jpg. Then in a Cmd window,
type "test.jpg". It runs the .exe program! I thought that was a
quirk of command windows, but not a problem with IE6. Perhaps I was
wrong-- again.
of IE6 Tools Tools->Options->Security I ran across "Open files based
on content, not file extension", and the option was set by default.
I thought, if an EXE file on a page is named *.gif, do I want to
"open"=run it as an EXE, or do I want the picture viewer to try to
handle it as a GIF. Please, let the picture viewer think it is a
corrupted GIF. So I clicked from Enable to Disable. I was in the
trusted sites zone at the time.
I got to wondering why this setting was added, and why enable was
the default. Maybe there was some security reason to not change it
that I did not understand. I was in the trusted sites zone at the
time.
Today I searched for that item and hit on
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx
That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone. That confirmed to me that the Disabled is the safer
setting. And if there is a place I need to select a safer setting,
it is in the Internet zone the way I set things up.
So my questions are, why have the setting ever Enabled?
Why is the default "Enable"?
What I would feel better about is some setting that says if the
filename and the file-type-based-on-content differ materially, warn
me or something. Here is an experiment that worries me. Make a copy
of a safe .exe file, but name it test.jpg. Then in a Cmd window,
type "test.jpg". It runs the .exe program! I thought that was a
quirk of command windows, but not a problem with IE6. Perhaps I was
wrong-- again.