Knowledgebase: Kiosk
Managing security options of Antamedia Secure Browser

Antamedia Secure Browser uses Internet Explorer as a core, and builds secure browsing environment with additional features. Variety of features that you can configure may increase or decrease security level, which mostly depends on the type of application or website that will execute in the Secure Browser. We recommend testing your application or website and adjusting available features until you achieve optimum performance and security. 

These features can be configured from Kiosk - Browser - IE Security and Browser Security pages. Some of the settings on these pages apply to Internet Explorer as well as Antamedia Secure Browser. Explanation of settings on IE Security page:


Security Internet Zone (Applies to Internet Explorer and Antamedia Secure Browser)
Allow Java This setting determines if Java Runtime Enviroment can be used in browser.
Allow download signed ActiveX controls This option allows users to download signed ActiveX controls from pages.
Allow installation of desktop items This setting determines if users can install Active Desktop items.
Allow Java applets An applet is a small Internet-based program written in Java, usually embedded in an web page and can be executed from within a browser. This option determines whether Java applets will be allowed.
Allow download unsigned ActiveX controls This option allows users to download unsigned ActiveX controls from pages. This kind of code is potentially dangerous, especially when coming from an untrusted zone.
Allow File download This option controls whether file downloads are permitted from within the browser.
Allow Scriptlets This option determines whether web pages can execute or call scriptlets (JavaScript, Python, Ruby etc.)
Allow Pop-up Determines whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
Allow Font download This option determines whether users can download HTML fonts from pages.
Restrictions (Applies to Internet Explorer)
Disable the option of selecting of download directory This option controls whether users are able to change the default download directory.
Disable the ability to view page source HTML This option controls whether users can view page HTML source code.
Disable Internet options This option disables access to Internet options in Internet Explorer.
Disable File > Open Disables File > Open menu item
Disable Save As Disables Save As menu item
Disable File > New Disables File > New menu item
Disable Find files command Disables Edit > Find on this page… menu item
Control Panel (Applies to Internet Explorer)
Prevents changing Security levels for the Internet zones This setting prevents users from changing Security levels on Control Panel - Internet Options - Security page.
Prevents prompt me to save password from beign This setting prevents Internet Explorer from showing “Save password” dialog after user login to a web site.
Disable AutoComplete for forms Disables IE AutoComplete feature. The AutoComplete feature suggests possible matches for entries you type in a Web page form.
Disable Internet connection wizard Disables Windows New Connection wizard.


Settings on Browser Security page apply only to Antamedia Secure Browser. You can choose from 3 predefined security levels and customize them to your own liking. The number of features on this page depends on version of Internet Explorer installed on Kiosk pc.


ActiveX Binding Safety Checks This feature performs additional safety checks when calling IBindHost::MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control.This feature also checks the URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY security setting for the zone of the URL being bound to and determines whether the control can be initialized safely.
ActiveX Object Caching When enabled, this feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts.
ActiveX Update Restriction When a webpage attempts to load or install an ActiveX control that is not already installed, this feature blocks the request. When this feature is enabled, it can be set differently for each security zone by using the URL action flag URLACTION_AUTOMATIC_ACTIVEX_UI.
AJAX Connection Events This feature enables events that occur when the value of the online property of the navigator object changes, such as when the user chooses to work offline. For more information, see the ononline and onoffline events.
Application Protocol Confirmation Internet Explorer uses confirmation dialog boxes when opening content from potentially untrusted sources. By default, applications hosting the WebBrowser Control do not display these confirmations.
Child Window Clipping Internet Explorer 9 optimized the performance of window-drawing routines that involve clipping regions associated with child windows. This helped improve the performance of certain window drawing operations. However, certain applications hosting the WebBrowser Control rely on the previous behavior and do not function correctly when these optimizations are enabled.
Circular References in Script Management Internet Explorer reduces memory leaks caused by circular references between Internet Explorer and the Microsoft JScript engine, especially in scenarios where a webpage defines an expando and the page is refreshed. If a legacy application no longer functions with these changes, this feature can disable these improvements.
Clipboard Script Control When enabled, this feature allows scripts control over the Clipboard. This allows applications hosting the WebBrowser Control to opt out of a specific security check that may be unnecessary for the content displayed by the application. If the content is fully trusted and cannot be modified by any third-party, it may be safe to enable this feature. However, such a design decision should include a full security assessment.
Cross Domain Capture Event This feature prevents capture events from being propagated to elements in webpages hosted on domains different than the one hosting the page containing the element that triggered the capture event.
Cross Domain Redirection When enabled, this feature applies cross-domain security to support files loaded by a webpage, including images, JavaScript libraries, Cascading Style Sheets (CSS) files, Microsoft ActiveX controls, and other file-based resources.
Debugging Network Traffic Requests When enabled, this feature adds a custom header to the set of headers sent with HTTP requests. The new header, X-Download-Initiator, describes how the request was initiated; the description includes the reason for the request, the type of element that initiated the request, and contextual details that vary according to the design of the webpage.
DOM Storage API Support When enabled, this feature allows Internet Explorer and applications hosting the WebBrowser Control to use the DOM Storage API.
Feeds This feature enables MIME-sniffing for Really Simple Syndication (RSS) feeds, and feed auto-discovery. When this feature is enabled for applications that host the WebBrowser Control, a notification sound is played when feeds are discovered in a webpage.
File Download Restrictions This feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). When enabled, this feature can be set differently for each security zone by using the URLACTION_AUTOMATIC_DOWNLOAD_UI URL action flag.
Frame Content Modification This is a security measure designed to prevent malicious sites from hijacking content hosted by legitimate websites. When enabled, this feature allows frame content to be modified by windows hosted by any domain except for those listed in the Restricted zone.
Frame Content Security When frame and iframe objects contain non-HTML content, there is a risk that unsafe interfaces may be exposed. When enabled, this feature prevents this exposure.
GPU Rendering This feature enables Internet Explorer to use a graphics processing unit (GPU) to render content. This dramatically improves performance for webpages that are rich in graphics.
IFrame Mailto Threshold For security reasons, Internet Explorer counts the number of requests to the mailto protocol made from an iframe element. When the number of such requests exceeds a certain limit within a certain period of time, additional requests are delayed to limit malicious behavior. This feature controls these restrictions.
Image MIME Type Determination By default, Internet Explorer verifies images downloaded from a web server to determine the content type of the image. If the image data cannot be recognized and the web server specifies a MIME type for the image, Internet Explorer displays the image according to the MIME type value when this feature is enabled. If the feature is disabled, Internet Explorer tries to evaluate unrecognized image data as other MIME types, such as XML and HTML.
Information Bar Handling This feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted
Input Prompt Blocking When enabled, this feature allows the pop-up blocker to block JavaScript input prompts, such as the dialog box displayed by the prompt method of the window object. This helps prevent spoofing attacks.
Legacy Compression Support Internet Explorer 7 consolidated HTTP compression and data manipulation into a centralized component in order to improve performance and to provide greater consistency between transfer encodings (such as HTTP no-cache headers). For compatibility reasons, the original implementation was left in place. When this feature is disabled, the original compression implementation is used.
Local Machine Lockdown When this feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files:
1.Scripts, Microsoft ActiveX controls, and binary behaviors are not allowed to run.
2.Object safety settings cannot be overridden.
3.Cross-domain data actions require confirmation from the user.
Local Image Blocking When enabled, this feature allows images stored in the Local Machine zone to be loaded only by webpages loaded from the Local Machine zone or by ebpages hosted by sites in the Trusted Sites list.
Local Object Blocking When enabled, this feature allows objects stored in the Local Machine zone to be loaded only by webpages loaded from the Local Machine zone or by webpages hosted by sites in the Trusted Sites list.
Local Script Blocking When enabled, this feature allows scripts stored in the Local Machine zone to be run only in webpages loaded from the Local Machine zone or by webpages hosted by sites in the Trusted Sites list.
MIME Type Determination Allow the process to determine a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. This feature, when enabled, allows to be set differently for each security zone.
MIME Type Handling When this feature control is enabled, Internet Explorer handles MIME types more securely:
1.The file extension given to a download file is based on the user's configuration, the values of the Content-Type and Content Disposition headers (if any), and the URL.
2.Internet Explorer will not automatically open downloaded files if the file extension is different from the file extensions supported by the registered application.
MK Protocol Support This feature blocks resources hosted on the "MK:" protocol, which is an obsolete mechanism for linking Windows Help files to webpages. When this feature control is disabled, the "MK:" protocol is enabled.
Named Window Isolation This feature prevents webpages hosted on one domain from manipulating named windows opened by webpages hosted on other domains. When this feature is disabled, named windows can be manipulated by other webpages, regardless of the domain they are hosted on.
Navigation Sound Support When enabled, this feature disables the sounds played when you open a link in a webpage.
Protocol Lockdown This feature applies the restrictions of the FEATURE_LOCALMACHINE_LOCKDOWN feature to specific protocols used in other zone contexts. For example, you can restrict HTML content from being loaded by the "shell:" protocol in the Internet zone. Because the shell protocol is designed primarily for the Local Machine zone, you can reduce the risk of malicious attacks from other zones.
Resource Protocol Restriction When enabled, this feature restricts the res: protocol to the Local Machine Zone.
Save Dialog Button Hiding When this feature is disabled, the META elements cannot be used to hide buttons in the Save dialog box.
Script URL Mitigation When enabled, this feature allows the href attribute of a objects to support the javascript prototcol.
SHDOCLC.DLL Resource Loading Earlier versions of Internet Explorer loaded resources stored in the shdoclc.dll file. For security reasons, Internet Explorer no longer loads resources from this file by default. When enabled, this feature allows resources to be loaded from the shdoclc.dll file.
SSL Security Alert Display When this feature is enabled, problems with a website's Secure Sockets Layer (SSL) are displayed using descriptive webpages, rather than the security alert dialog boxes seen in earlier versions of Internet Explorer.
Status Bar Update Frequency When enabled, this feature limits the frequency of status bar updates to one update every 200 milliseconds.
Structured Storage Detection When enabled, this feature enables the URLACTION_ALLOW_STRUCTURED_STORAGE_SNIFFING URL Action, which permits ActiveX documents to be opened within the context of a webpage on a zone-by-zone basis. For security reasons, this feature should not be enabled. Instead, applications that depend on this feature should be redesigned to use more secure approaches.
Tabbed Browsing Shortcuts and Notifications When enabled, this feature enables tabbed browsing navigation shortcuts and notifications.
Telnet Protocol Support When enabled, thisL feature disables the built-in telnet protocol handler. When this feature is disabled, the "telnet:" protocol is enabled.
UNC File Support for MotW This feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC). If the file contains a MOTW, the file is loaded into the security context specified by the MOTW
Usernames and Passwords in URL's Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTPS or HTTP protocols. URLs using other protocols, such as FTP, still allow usernames and passwords. When disabled, this feature allows usernames and passwords to be included in HTTP or HTTPS URLs.
Validate URL Navigation When enabled, this feature control prevents Windows Internet Explorer from navigating to a badly formed URL.
Visual Studio Legacy Help Support Internet Explorer 7 strengthened the security of relative filename paths with regard to protocol handlers. While this improved security for Internet Explorer users, it created problems for earlier versions of Visual Studio Help files that relied on the earlier behavior. This feature enables the earlier behavior with regard to files using the ms-help protocol and should only be enabled in cases where earlier versions of Visual Studio are deployed.
Web Browser Control Document Zoom When enabled,this feature allows HTML dialog boxes to inherit the zoom state of the parent window.
Web Browser Control Window Control When enabled, this feature allows these events to affect the parent window of the application hosting the WebBrowser Control. Because this can lead to unpredictable results, it is not considered desirable behavior.
WebOC Addon Management This feature enables applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explor
Window Restrictions When enabled, this feature adds several restrictions to the size and behavior of popup windows:
1.Popup windows must appear in the visible display area.
2.Popup windows are forced to have status and address bars.
3.Popup windows must have minimum sizes.
4.Popup windows cannot cover important areas of the parent window.
XDomainRequest Object Support When enabled, this feature enables the XDomainRequest object, which represents a cross-domain Asynchronous JavaScript and XML (AJAX) request.
XMLHttpRequest Object Support This feature enables or disables the native XMLHttpRequest object.
Zone Elevation When enabled, this feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user.
Zone Handling for Missing Files When enabled, this feature manages the security context of URLs specified in local files. If a local URL specifies a file or directory that does not exist, the URL is loaded in the Restricted zone when opened.
Zone String Loading By default, Internet Explorer uses localized resource files to populate the names of the security zones in the user interface. When enabled, this feature allows applications to specify these strings in the registry.
Enabling this feature is strongly discouraged.

Comments (0)
Antamedia Support Center