Navigation

Securing Internet Explorer

By . Last modified: 2014-08-14.

How to configure Internet Explorer for safer internet browsing in Windows XP, Vista, 7, 8 and 8.1

Open Tools menu (Alt+T in Internet Explorer 8 and Alt+X in Internet Explorer 9, 10 and 11) and choose Internet Options. If Menu or Command bars are not visible, press ALT key on keyboard once to make menus visible.
Internet Explorer 8, click 'Internet Options' in Tools menu to configure Internet Explorer. Internet Explorer 9, click 'Internet Options' in Tools menu to configure Internet Explorer.

In Windows 8 and 8.1, the settings below are shared between Desktop and Modern UI/Metro versions of Internet Explorer.

Open Security tab and click Reset all zones to default level, if the button is not grayed out (the latter means that all zones are already at default level).
Windows Vista, 7, 8 and 8.1 users should also make sure that Enable Protected Mode (requires restarting Internet Explorer) is on for Internet and Restricted sites zones - this defends your computer from malicious software and drive-by attacks on the Internet. This options is not available in Windows XP.
Internet Explorer, Internet Options. Open Security tab and click Reset all zones to default level.

Click Privacy tab. Make sure that the Settings slider is set to Medium. If not, click the Default button. This sets a reasonable policy for allowing and disallowing cookies.
Internet Explorer 8, Internet Options, Privacy tab. Set Privacy settings slider to Medium; or click the Default button.

For Internet Explorer 9, 10 and 11 users, there is another option here - Never allow websites to request your physical location. Most privacy-aware people should click to check this box.
I strongly recommend using this settings, because geolocation security and privacy are still developing and you should prevent malicious sites from tracking your physical location. If the Clear sites button is not disabled (grayed out), click it to remove stored location data.
Internet Explorer 9, Internet Options, Privacy tab. Set Privacy settings slider to Medium; or click the Default button. Also click to select the 'Never allow websites to request your physical location' option.

Open Content tab and click the Settings button in AutoComplete section.
Internet Explorer, Internet Options, Content tab. Click Settings button in AutoComplete section.

Here in AutoComplete Settings window you can leave everything on except for the Ask me before saving passwords. This is very important because malware can easily steal all user names and passwords for sites you have visited (including your bank!). Use free Password Safe for remembering passwords instead.
Internet Explorer, Internet Options, AutoComplete Settings. You can turn everything on here, except for the 'Ask me before saving passwords' option. This will disable automatic saving of passwords for websites. Internet Explorer 11, Internet Options, AutoComplete Settings. You can turn everything on here, except for the 'Ask me before saving passwords' option. This will disable automatic saving of passwords for websites.

If you have already saved some passwords or you want to be sure that no passwords are stored in Internet Explorer, click the Delete AutoComplete history... button.
Clear everything except Passwords and click Delete. This will clear saved passwords and close the Delete Browsing History window.
Internet Explorer 9, Internet Options, Delete Browsing History. Clear all options except 'Passwords'. Then click Delete to clear saved passwords. Internet Explorer 11, Internet Options, Delete Browsing History. Clear all options except 'Passwords'. Then click Delete to clear saved passwords.

Click OK to close AutoComplete Settings window.

Next, open Advanced tab. This is a long list of advanced settings, try to configure settings like on pictures. We will cover security-related settings here.

In Browsing section, turn on the Enable third-party browser extensions setting to allow third-party security add-ons.
If your Internet Explorer crashes or will not start after enabling third-party extensions, turn Enable third-party browser extensions off again (open Control Panel and double-click Internet Options) and start troubleshooting: tutorials are available for Internet Explorer 8 , 9 and 10.
Internet Explorer 9, Internet Options, Advanced tab. Tick the two 'Disable script debugging' boxes. Select 'Enable third-party browser extensions'. Internet Explorer 11, Internet Options, Advanced tab, tick the two 'Disable script debugging' boxes. Select 'Enable third-party browser extensions'.

Security section is certainly the most important part.
Always turn off settings named Allow active content from CDs to run on My Computer, Allow active content to run in files on My Computer and Allow software to run or install even if the signature is invalid! Enabling these options gives a hearty welcome to viruses and malware.
Check for publisher's certificate revocation and Check for server certificate revocation should be enabled to prevent malware from using stolen or outdated security certs.
Internet Explorer, Internet Options, Advanced tab. Always clear two 'Allow active content' boxes and the 'Allow software tor run or install even if the signature is invalid' box. Tick the 'Check for server certificate revocation' box to avoid problems with end-of-life certificates.

Always enable Check for signatures on downloaded programs - this one helps to identify malware that disguises as legal software.

Enabling Do not save encrypted pages to disk keeps your sensitive personal information in online banks or other services away from your computer's hard drive and avoids private data disclosures. Internet Explorer 9, 10 and 11 users might still need to leave the feature disabled, because it causes trouble while downloading files from secure webpages (IE either "fails to connect" or downloads a web page instead of the requested file). 

Always disable the Enable Integrated Windows Authentication option. This one is useful only for business computers in local domain networks. You are on the Internet and you must not send your username and password automatically to any server asking for them.

Always activate new protection methods Enable memory protection to help mitigate online attacks and Enable SmartScreen Filter. The first one turns on DEP (Data Execution Prevention) system that blocks possible attacks through infected web pages. The second one warns you about malicious websites and downloads. These settings do a lot to keep you safe. Cool

Leave only Use SSL 3.0 and Use TLS 1.0 checked to speed up secure web traffic (HTTPS protocol). Clear Use SSL 2.0, Use TLS 1.1 and Use TLS 1.2 boxes.

Turn on Warn about certificate address mismatch, too. It helps to identify malicious web sites that pretend to be perfectly legal.

In Internet Explorer 10, there are two new important options. First one, Always send Do Not Track header prevents advertisers from tracking your online behavior and should always be enabled.
The Enable Enhanced Protected Mode (aka Sandboxing) option denies access to local drives and Registry unless a user specifically asks for it. This is very useful in blocking malware that spreads using zero-day exploits or unpatched security bugs. But please be aware that this setting might also prevent several security add-ons from running until specific updates are released!
Internet Explorer, Internet Options, Advanced tab. Tick 'Check for signatures on downloaded programs' and 'Do not save encrypted pages to disk' boxes. Clear 'Enable Integrated Windows Authentication'. Tick 'Enable SmartScreen Filter'. Click OK to close Internet Options. Internet Explorer 10, Internet Options, Advanced tab. Ensure the 'Always send Do Not Track header' and 'Enable Enhanced Protected Mode' are turned on.

Scroll all the way down and clear the Warn if changing between secure and not secure mode box. Then make sure that the Warn if POST submittal is redirected to a zone that does not permit posts box is checked.

Here you see that Internet Explorer 11 has the Do Not Track option renamed to Send Do Not Track requests to sites you visit in Internet Explorer. Enable it.
The Enable Strict P3P Validation check box is available in Internet Explorer 10 and 11 only. It should be cleared, because only IE supports it and the feature is difficult to implement on web sites. You can read more about P3P in this Wikipedia article if you have spare time.
Internet Explorer 11, Internet Options, Advanced tab. Ensure the 'Send Do Not Track requests to sites you visit in Internet Explorer' and 'Enable SmartScreen Filter' options are turned on.

Click OK to close the Internet Options dialog. You might have to restart Internet Explorer for all settings to take effect.

Additional free security plugins for Internet Explorer

To stay away from malicious sites and downloads, use WOT Safe Surfing Tool. It also shows site ratings in search engine results (Google, Bing, etc) and on Facebook and Twitter.

Use Trusteer Rapport (aka Trusteer Endpoint Protection) for securing your account data and money from data-stealing malware.

To protect Internet Explorer from zero-day attacks, use the free Microsoft EMET. An even easier-to-use alternative for this is Malwarebytes Anti-Exploit.

 

Sub Navigation

Sub Navigation
Next: Securing Mozilla Firefox
Previous: Securing Google Chrome
comments powered by Disqus