The IE9 security level settings item under Windows 7 is indicated below. (blank represents the value of the previous column, no change)
category |
Property |
in |
Medium-High |
High |
The. NET Framework |
XAML Browser Application |
Enable |
Disable |
Disable |
|
XPS Document |
Enable |
|
Disable |
|
Loose XAML |
Enable |
|
Disable |
. NET Framework-related components
|
Components with permissions for the manifest |
High Security level |
|
Disable
|
|
To run a component that is not Authenticode signed |
Enable |
|
Disable
|
|
To run a component that has been signed with Authenticode
|
Enable |
|
Disable
|
ActiveX Controls and Plug-ins |
ActiveX Control Auto Prompt |
Disable |
|
Disable
|
|
Execute a script on an ActiveX control marked as safe to execute a script * |
Enable |
|
Disable
|
|
Initialize and execute a script on an ActiveX control that is not marked as safe to execute scripts
|
Disabled (recommended) |
|
Disabled (recommended)
|
|
Binary and scripting behavior |
Enable |
|
Disable |
|
Allow only approved domains to use ActiveX without prompting |
Disable |
Enable |
Enable
|
|
Downloading an unsigned ActiveX control |
Disabled (recommended) |
|
Disabled (recommended)
|
|
Download a signed ActiveX control
|
Tips (Recommended) |
|
Disable |
|
Allow ActiveX filtering |
Enable |
|
Enable
|
|
Allow Scriptlet |
Disable |
|
Disable |
|
Allows you to run an ActiveX control that was not previously used without prompting |
Enable |
Disable |
Disable |
|
Running ActiveX controls and Plug-ins |
Enable |
|
Disable |
|
Display video and animation on a Web page that does not use an external media player |
Disable |
|
Disable |
Script |
Java Applet Script |
Enable |
|
Disable |
|
Active Scripting |
Enable |
|
Disable |
|
Enable XSS Filters |
Enable |
|
Enable
|
|
Allow programmatic access to the Clipboard |
Tips |
|
Disable |
|
Allow Web sites to use Script window hints for information |
Enable |
|
Disable |
|
Allow the status bar to be updated with scripts |
Enable |
Disable |
Disable |
Other |
Continuous use of user data |
Enable |
|
Disable |
|
Loading applications and unsafe files |
Tips (Recommended) |
|
Tips (Recommended)
|
|
Include local directory path when uploading files to the server |
Enable |
Disable |
Disable |
|
Cross-domain browsing windows and frames |
Disable |
|
Disable |
|
Enable MIME sniffing |
Enable |
|
Disable |
|
Using the SmartScreen filter |
Enable |
|
Enable
|
|
Using Pop-up Blocker |
Enable |
|
Enable
|
|
Web sites in less privileged web content areas can navigate to the zone |
Enable |
|
Disable |
|
Submit a form that is not encrypted |
Enable |
|
Tips |
|
Accessing a data source from a domain |
Disable |
|
Disable |
|
Drag-and-drop or copy and paste files |
Enable |
|
Tips |
|
Show mixed content |
Tips |
|
Tips |
|
Allow META REFRESH |
Enable |
|
Disable |
|
Allow scripting of Microsoft Web Browser Controls |
Disable |
|
Disable |
|
Windows that allow script initialization, not limited by size or position |
Disable |
|
Disable |
|
Allow Web pages to use active content restricted protocols |
Tips |
|
Disable |
|
Allow a Web site to open a window without an address or status bar |
Enable |
Disable |
Disable |
|
Loading programs and files in an IFRAME |
Tips (Recommended) |
|
Disable |
|
Do not prompt for client certificate selection when only one certificate exists |
Disable |
|
Disable |
Enable the. NET Framework Setup program |
|
Enable |
|
Disable |
Download |
File download |
Enable |
|
Disable |
|
Font Download |
Enable |
|
Disable |
User authentication |
Login |
Automatically log on only in the Intranet zone |
|
User name and password hint |
Some of the values that need attention or popular science are as follows.
Xaml
Extensible Application Markup Language, an XML user Interface Description language, is used in the. NET framework to describe the UI.
Http://zh.wikipedia.org/wiki/XAML
Http://msdn.microsoft.com/en-us/library/ms752059.aspx
Scriptlet
Scriptlet is a lightweight way to package a page into a component. Such as:
<object id= "ScrltCode2"
type= "Text/x-scriptlet" Data= "datetime.html"
Where datetime.html is an HTML page that contains the full functionality.
http://msdn.microsoft.com/en-us/library/office/aa189871 (v=office.10). aspx
Authenticode
A signature method for applications downloaded from the Web.
Http://technet.microsoft.com/en-us/library/cc750035.aspx
XSS Filter
Increased XSS protection capabilities from IE8.
Http://windows.microsoft.com/zh-CN/internet-explorer/products/ie-8/features/safer?tab=ie8xss
Allow programmatic access to the Clipboard
a common "click-and-Copy" feature that takes into account the fault-tolerant approach when disabling this item.
Include local directory path when uploading files to the server
If you disable, you will get an address like this when uploading files:
C:\fakepath\xxxxxx.png
See the following articles for solutions.
MIME sniffing
determines the file type by probing the MIME type. The file type is not promoted to a more dangerous file type. For example, a file that is received in plain text but containing HTML code will not be promoted to an HTML type because it may contain malicious code.
Show mixed content
This prompts you when an HTTP request is included in a page in HTTPS.
Allow META REFRESH
So when you do browser-side redirect, you can't just do a meta refresh, but you need to use the following compatibility method: