IE 4.x does not appear to save custom security settings

[jschultz () MAIL COIN MISSOURI EDU (John Schultz)]

I reported the following behavior to secure () microsoft com, but they don't
think it's a problem.  The gist of the problem is that if you use the
Custom security level in IE 4.x, make some modifications to the settings,
switch to a different security level (to access a site that required some
functionality you disabled in the Custom level, such as Java, ActiveX,
etc.), and then switch back to the Custom level, at least some of the
settings will have changed.  I could find no indication in help if this is
the intended behavior, but it could certainly cause problems if you
thought Javascript was disabled when it wasn't.

---------- Forwarded message ----------
Date: Wed, 4 Nov 1998 10:03:18 -0600 (CST)
From: John Schultz <jschultz () mail coin missouri edu>
To: Secure () microsoft com
Cc: John Schultz <jschultz () mail coin missouri edu>
Subject: IE 4.x does not appear to save custom security settings

IE 4.x does not appear to save some of the custom security settings I have
modified via the View | Internet Options | Security dialog.  If I switch
to a different security level and then back to the Custom level, I have
noticed that some settings have not been retained.  On my machine, I have
disabled Java, scripting, and ActiveX, in addition to changing a few other
security settings.  If I disable these items in the Custom level, switch
to the High level to access some site that requires a disabled feaure
(such as Java), and then switch back to the Custom level, I would expect
Java to be once-again disabled.  All testing was done while set for the
Internet zone.

Here are the security settings I have noticed changing when switching from
the Custom level to the High level, and then back again.  I believe this
list is not inclusive of the settings that do not "stick" - it's just the
settings I noticed during my testing:

* Script ActiveX controls marked safe for scripting - was disabled in
Custom level, enabled in Custom level after switching to High level and
back to Custom.
* File download - was enabled in Custom level, disabled after the switch.
* Java permissions - was disabled in Custom level, set to High safety
after the switch.
* Installation of desktop items - was set to Prompt in Custom level, set
to Disable after the switch.
* Active scripting - was set to disable in Custom level, enabled after the
switch.

These changes would occur when changing my security level from Custom to
High and either:

1. Closing the Internet Options dialog, reopening the dialog, and
selecting Custom level.
2.  Clicking the Apply button without closing the Internet Options dialog,
and selecting the Custom level.

My machine is running NT4 SP3 (128-bit) with most of the post-SP3 security
hotfixes applied.  I have downloaded the 128-bit SP4 but have not
installed it yet.  I am running IE 4.01 SP1 with all IE security patches
applied.  The Help | About dialog displays version 4.72.3110.8 and update
versions ;SP1;2922;2958;

John Schultz
jschultz () mail coin missouri edu