MORE INFORMATION

Unless an exception is listed in the following sections, your current security settings are retained when you upgrade to Internet Explorer 6. However, the security level for all zones is set to Custom.

For additional information about your security level being set to Custom, click the article number below to view the article in the Microsoft Knowledge Base:

If you click Default Level for any zone on the Security tab of the Internet Options dialog box, you can apply the new default settings.

Changes to All Zones Settings

When you click Custom Level on the Security tab of the Internet Options dialog box in Internet Explorer 6, the following settings have been removed from the Security Settings section:

• The Cookies settings have been moved from the Security tab to the Privacy tab. These settings are not retained when you upgrade to Internet Explorer 6.For additional information about cookie settings, click the article numbers below to view the articles in the Microsoft Knowledge Base:

  296363 Cookies Settings Are Not Retained After You Upgrade to Internet Explorer 6

  283185 How to Manage Cookies in Internet Explorer 6

• The settings that are located under the Microsoft VM heading, which contains the "Java permissions" subheading, are not present if the Microsoft virtual machine (Microsoft VM) is not installed. If the Microsoft VM is installed as a stand-alone package or by means of "install on demand", these settings are added back.

The following new settings have been added to the Security Settings section when you click Custom Level on the Security tab of the Internet Options dialog box in Internet Explorer 6:

• Under the Miscellaneous heading, the "Don't prompt for client certificate selection when no certificate or only one certificate exists" setting is set to Disable for all security levels, except for the Low security level (by default, only the "Trusted sites" zone has a Low security level).
  
  The preceding setting had been added to Internet Explorer 5.5 Service Pack 1 (SP1). When this setting is set to Disable, Internet Explorer does not prompt you with a "Client Authentication" message when you connect to a Web site that has no certificate or only one certificate. The versions of Internet Explorer prior to version 5.5 SP1 display the following "Client Authentication" message even if the Web site does not have a certificate or has only one certificate:

  Identification
  
  The Web site you want to view requests identification. Select the certificate to use when connecting.

• Under the Miscellaneous heading, the "Allow Meta Refresh" setting is set to Enable for all security levels (except for the High security level) and the Meta Refresh setting continues to work as it did in previous versions of Internet Explorer. At the High security level (by default, only the "Restricted sites" zone has a High security level), the "Allow Meta Refresh" setting is set to Disable and the Meta Refresh setting does not work.
  
  The Meta Refresh setting (tag) enables the author of a Web page to redirect your browser to another Web page after a specified amount of time. For additional information about the Meta Refresh setting, refer to the following Microsoft Web site:

  http://msdn2.microsoft.com/en-us/library/Aa769236.aspx

  NOTE: This setting does not function in the Internet Explorer 6 Public Preview (Version 6.00.2462.0000). This problem was first corrected in the Internet Explorer 6 Public Preview Refresh (Version 6.00.2479.0006).
• Under the Miscellaneous heading, the "Display mixed content" setting is set to Prompt (which is the same behavior as previous versions of Internet Explorer) for all security levels, and you may receive the following "Security Information" message on the Web pages that contain both secure (https://) and nonsecure (http://) content:

  This page contains both secure and nonsecure items.
  
  Do you want to display the nonsecure items?
  

  
  

  If the "Display mixed content" setting is set to Enable, you cannot receive the preceding message and nonsecure content can be displayed. If the "Display mixed content" setting is set to Disable, you cannot receive the preceding message and nonsecure content cannot be displayed.

Changes to Restricted sites Zone Settings

The following "Restricted sites" zone settings have been changed:

• The Active Scripting setting is set to Disable, and your previous setting is not retained.
• The Java Permissions setting, which is located under the Microsoft VM heading, is set to Disable Java, and your previous setting is not retained.
• The "Script ActiveX Controls marked as safe for scripting" setting is set to Disabled, but your previous setting is retained.
• The "Allow Meta Refresh" setting is set to Disabled.

NOTE: By default, the "Restricted sites" zone is used by Microsoft Outlook Express 6, and can be used by Microsoft Outlook to restrict active content in Hypertext Markup Language (HTML) e-mail messages.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: