|
(SST) ShlWAPI.pas Version 1.08 |
|---|---|
| Developer Reference |
| Checks if the Internet Explorer Enhanced Security Configuration is active. |
| Scope |
|---|
| Global (i.e. this function can be called/accessed from code in any unit that includes/uses (SST)ShlWAPI.pas). |
| Syntax | |
|---|---|
| function IsInternetESCEnabled() : BOOL; | |
| Parameters | |
|---|---|
| None | |
| Return Values |
|---|
| The function returns TRUE if it is executed on a system and under an account under which the Internet Explorer Enhanced Security Configuration is enabled, FALSE (= 0) if not. |
| Remarks |
|---|
| It is unclear what the (exact) prerequisites are for the function to return TRUE. |
| Whereas the function returns TRUE under Windows Server 2003 and although the function is supported under successor, workstation versions, TRUE was never returned in the tests we conducted under various, Vista user accounts, even though the users were (exclusive) members of different, built-in user groups (e.g. "Administrators", "Power Users", "Users", etc.) and the accounts had been configured. to use different levels (e.g. low, medium, high, etc.) of Internet and intranet*1 security settings. |
| In spite of the comprehensive discussion of (Internet Explorer) Security Zones we did not find much more on the possible causes for this behavior in the SDK documentation than the introductory*2 and fourth*3 paragraphs of the "Enhanced Security Configuration for Internet Explorer" article. These texts suggesting that the "Enhanced Security Configuration" feature is, at least per default, restricted to (Windows 2003) server*4 versions. However, as this is not expressly stated and this configuration/policy can (presumably) also be modified through software*5 and/or system/IE updates under workstation versions, this remains a question requiring clarification by Microsoft. |
| *1 This included activating and deactivating the automatic, intranet, network detection (i.e. the "Automatically detect intranet necwork" check box on the "Local intranet" dialog) and configuring at least one account according to the settings described under "Enhanced Security Configuration for Internet Explorer" (even if we can't discount that we might have missed the combination of settings that would have returned TRUE). |
| *2
"As a best security practice, a server administrator should not browse Internet Web sites from the server. The administrator should only browse the Internet from a limited user account on a client work station to reduce the possibility of an attack on the server by a malicious Web site. Administrators sometimes need to use Web-based applications which require advanced functionality such as scripts or file downloads. It is a better practice to specifically enable functionality on a few Web sites rather than attempt to block functionality individually on an indefinite number of potentially malicious sites."
Cited from the "Enhanced Security Configuration for Internet Explorer" article of the
Microsoft SDK Help
|
| *3
"Internet Explorer determines the level of security that is warranted for a given Web page by categorizing it into a URL security zone based on the origin of the Web page. Web sites on remote servers are in the Internet security zone. Without the enhanced security configuration, Web sites on a local network are in the Intranet zone. Web sites on servers identified as potentially malicious are in the Restricted sites zone. Web sites on servers identified as trusted are in the Trusted sites zone. URL security zones templates are applied to each of these zones to specify which actions can be performed by Web pages within that zone. ..."
Cited from the "Enhanced Security Configuration for Internet Explorer" article of the
Microsoft SDK Help
|
| *4
This assumption is supported by the following remark taken from the Windows Vista Business Edition offline help:
"If you are using Internet Explorer on a server and have turned off Enhanced Security Configuration or hardening (stronger security settings for use on servers), reset will go to client level security. You must reinstall hardening if you want the increased security level."
Cited from the article "Reset Internet Explorer 8 settings" article of the Windows Vista Business Edition
(with SP 1 & IE 8) offline help.
|
| *5 Unless the relevant functionality, in the workstation versions, was replaced by dummy COM interfaces, methods, and/or functions (conceivable and not unprecedented) it is, at least in theory, possible for software that instantiates/uses the zone interfaces (e.g. IInternetSecurityManager) to modify the Internet Explorer settings in accordance with the Enhanced Security Configuration and, as result, induce the IsInternetESCEnabled function to return TRUE under Windows workstation versions. However, we would like to emphasize that we did not put this assumption to the test and it is therefore (at best) an educated guess. |
| Example |
|---|
| PROCEDURE TForm4.TestShlWAPIIsInternetESCEnabled(Sender : TObject); VAR apiretval : BOOL; VAR newinfoline : STRING; BEGIN apiretval := FALSE; newinfoline := ''; apiretval := IsInternetESCEnabled(); IF apiretval THEN newinfoline := 'The call to IsInternetESCEnabled function returned TRUE (i.e. Enhanced Security Configuration is active)' ELSE newinfoline := 'The IsInternetESCEnabled function call returned FALSE (i.e. Enhanced Security Config. is NOT enabled)'; Memo1.Lines.Add(newinfoline); Memo1.Lines.Add(''); END; |
| When run under an Administrator account on Windows Server 2003 the function produces the following output: |
| The call to IsInternetESCEnabled function returned TRUE (i.e. Enhanced Security Configuration is active) |
| Executed under an account belonging to an arbitrary, built-in, user group, on a Windows Vista workstation, the function produced the following output: |
| The IsInternetESCEnabled function call returned FALSE (i.e. Enhanced Security Config. is NOT enabled) |
| Requirements | |
|---|---|
| Unit: | Declared and imported in (SST)ShlWAPI.pas |
| Library: | (SST)ShlWAPI.dcu/(SST)ShlWAPI.obj |
| Unicode: | Not applicable. |
| Min. ShlWAPI.dll version according to MS SDK doc.: | 6.0 |
| Min. ShlWAPI.dll version based on SST research: | 6.0 |
| Min. OS version(s) according to Microsoft SDK doc.: | Windows Server 2003 |
| Min. OS version(s) according to SST research.: | Windows Server 2003, Windows Vista |
| See Also |
|---|
| GetAcceptLanguages, IsOS. |
| Windows APIs: IsInternetESCEnabled, IInternetSecurityManager Interface. |
|
Document/Contents version 1.00 Page/URI last updated on 07.12.2023 |
Copyright © Stoelzel Software Technologie (SST) 2010 - 2017 |
Suggestions and comments mail to: webmaster@stoelzelsoftwaretech.com |